- Added iotop policy. Thanks William Brown

- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
This commit is contained in:
Miroslav Grepl 2014-05-13 08:13:43 +02:00
parent e929b7e20b
commit dbf4ab85b0
3 changed files with 470 additions and 267 deletions

File diff suppressed because it is too large Load Diff

View File

@ -12652,14 +12652,15 @@ index 4a5b3d1..cd146bd 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..d0501e3
index 0000000..53f5265
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,19 @@
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+
@ -12668,6 +12669,7 @@ index 0000000..d0501e3
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+
@ -18437,10 +18439,10 @@ index 001b502..3ceae52 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011e..afe482b 100644
index 949011e..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,87 @@
@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@ -18538,23 +18540,23 @@ index 949011e..afe482b 100644
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
@ -18568,10 +18570,14 @@ index 949011e..afe482b 100644
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
@ -28271,10 +28277,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000..75d7bc3
index 0000000..781c76d
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,121 @@
@@ -0,0 +1,122 @@
+policy_module(gear, 1.0.0)
+
+########################################
@ -28393,6 +28399,7 @@ index 0000000..75d7bc3
+')
+
+optional_policy(`
+ openshift_manage_lib_dirs(gear_t)
+ openshift_manage_lib_files(gear_t)
+ openshift_relabelfrom_lib(gear_t)
+')
@ -28572,10 +28579,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 0000000..7106428
index 0000000..351f145
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,51 @@
@@ -0,0 +1,53 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@ -28608,6 +28615,8 @@ index 0000000..7106428
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
+kernel_read_network_state(geoclue_t)
+
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
@ -34333,6 +34342,108 @@ index d443fee..6cbbf7d 100644
logging_send_syslog_msg(iodined_t)
diff --git a/iotop.fc b/iotop.fc
new file mode 100644
index 0000000..c8d2dea
--- /dev/null
+++ b/iotop.fc
@@ -0,0 +1 @@
+/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0)
diff --git a/iotop.if b/iotop.if
new file mode 100644
index 0000000..7fc3464
--- /dev/null
+++ b/iotop.if
@@ -0,0 +1,46 @@
+## <summary>Simple top-like I/O monitor</summary>
+
+########################################
+## <summary>
+## Allow execution of iotop in the iotop domain from the target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition to iotop.
+## </summary>
+## </param>
+#
+interface(`iotop_domtrans',`
+ gen_require(`
+ type iotop_t, iotop_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iotop_exec_t, iotop_t)
+')
+
+########################################
+## <summary>
+## Execute iotop in the iotop domain, and
+## allow the specified role to access the iotop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed into the iotop domain.
+## </summary>
+## </param>
+#
+interface(`iotop_run',`
+ gen_require(`
+ type iotop_t;
+ attribute_role iotop_roles;
+ ')
+
+ iotop_domtrans($1)
+ roleattribute $2 iotop_roles;
+')
diff --git a/iotop.te b/iotop.te
new file mode 100644
index 0000000..51d7e34
--- /dev/null
+++ b/iotop.te
@@ -0,0 +1,37 @@
+policy_module(iotop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute_role iotop_roles;
+roleattribute system_r iotop_roles;
+
+type iotop_t;
+type iotop_exec_t;
+application_domain(iotop_t, iotop_exec_t)
+
+role iotop_roles types iotop_t;
+
+########################################
+#
+# iotop local policy
+#
+
+allow iotop_t self:capability net_admin;
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_system_state(iotop_t)
+
+auth_use_nsswitch(iotop_t)
+
+dev_read_urand(iotop_t)
+
+domain_getsched_all_domains(iotop_t)
+domain_read_all_domains_state(iotop_t)
+
+corecmd_exec_bin(iotop_t)
+
+miscfiles_read_localization(iotop_t)
+
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..48d7322
@ -40137,7 +40248,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
index be0ab84..1859690 100644
index be0ab84..9321951 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -40183,7 +40294,7 @@ index be0ab84..1859690 100644
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability sys_resource;
+dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@ -40418,7 +40529,7 @@ index be0ab84..1859690 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
index ab65034..c76dbda 100644
index ab65034..28f63b5 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@ -40503,11 +40614,13 @@ index ab65034..c76dbda 100644
rpc_search_nfs_state_data(logwatch_t)
')
@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
+mta_read_home(logwatch_mail_t)
+mta_filetrans_home_content(logwatch_mail_t)
+mta_filetrans_admin_home_content(logwatch_mail_t)
+
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
@ -45601,7 +45714,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4..7bb38c6 100644
index 11ac8e4..633063d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@ -46039,7 +46152,7 @@ index 11ac8e4..7bb38c6 100644
')
optional_policy(`
@@ -300,259 +324,248 @@ optional_policy(`
@@ -300,259 +324,252 @@ optional_policy(`
########################################
#
@ -46272,14 +46385,17 @@ index 11ac8e4..7bb38c6 100644
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
-
-term_getattr_all_ttys(mozilla_plugin_t)
-term_getattr_all_ptys(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
-term_getattr_all_ttys(mozilla_plugin_t)
-term_getattr_all_ptys(mozilla_plugin_t)
+storage_raw_read_removable_device(mozilla_plugin_t)
+fs_read_removable_files(mozilla_plugin_t)
+fs_read_removable_symlinks(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
@ -46435,7 +46551,7 @@ index 11ac8e4..7bb38c6 100644
')
optional_policy(`
@@ -560,7 +573,11 @@ optional_policy(`
@@ -560,7 +577,11 @@ optional_policy(`
')
optional_policy(`
@ -46448,7 +46564,7 @@ index 11ac8e4..7bb38c6 100644
')
optional_policy(`
@@ -568,108 +585,131 @@ optional_policy(`
@@ -568,108 +589,131 @@ optional_policy(`
')
optional_policy(`
@ -53019,10 +53135,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 0000000..f429163
index 0000000..f691a30
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,311 @@
@@ -0,0 +1,310 @@
+policy_module(nova, 1.0.0)
+
+########################################
@ -53302,7 +53418,6 @@ index 0000000..f429163
+# nova vncproxy local policy
+#
+
+
+#######################################
+#
+# nova volume local policy
@ -59264,10 +59379,10 @@ index 0000000..42ed4ba
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
index 0000000..49dc5ef
index 0000000..a0161d5
--- /dev/null
+++ b/openwsman.te
@@ -0,0 +1,43 @@
@@ -0,0 +1,56 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
@ -59279,6 +59394,9 @@ index 0000000..49dc5ef
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
@ -59292,10 +59410,17 @@ index 0000000..49dc5ef
+#
+# openwsman local policy
+#
+
+allow openwsman_t self:capability setuid;
+
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { create_socket_perms listen };
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
@ -59304,12 +59429,15 @@ index 0000000..49dc5ef
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
@ -73504,10 +73632,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b..d76fab5 100644
index 8644d8b..9494e23 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,132 @@ policy_module(quantum, 1.1.0)
@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@ -73554,7 +73682,7 @@ index 8644d8b..d76fab5 100644
-allow quantum_t self:unix_stream_socket { accept listen };
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit signal_perms };
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
@ -73562,46 +73690,45 @@ index 8644d8b..d76fab5 100644
+allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
+allow neutron_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+can_exec(neutron_t, neutron_tmp_t)
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+can_exec(neutron_t, neutron_tmp_t)
-can_exec(quantum_t, quantum_tmp_t)
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
-can_exec(quantum_t, quantum_tmp_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@ -73609,83 +73736,88 @@ index 8644d8b..d76fab5 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
-files_read_usr_files(quantum_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
-auth_use_nsswitch(quantum_t)
-files_read_usr_files(quantum_t)
+files_mounton_non_security(neutron_t)
-libs_exec_ldconfig(quantum_t)
-auth_use_nsswitch(quantum_t)
+auth_use_nsswitch(neutron_t)
-libs_exec_ldconfig(quantum_t)
+libs_exec_ldconfig(neutron_t)
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+libs_exec_ldconfig(neutron_t)
-miscfiles_read_localization(quantum_t)
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
+netutils_exec(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
+# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
+
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
optional_policy(`
- brctl_domtrans(quantum_t)
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
+ dnsmasq_read_state(neutron_t)
+ brctl_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
+ iptables_domtrans(neutron_t)
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
+ dnsmasq_read_state(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
+ iptables_domtrans(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
@ -91614,7 +91746,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
index cc58e35..4f35a1b 100644
index cc58e35..de9c4d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@ -91918,7 +92050,7 @@ index cc58e35..4f35a1b 100644
')
########################################
@@ -167,72 +248,85 @@ optional_policy(`
@@ -167,72 +248,90 @@ optional_policy(`
# Client local policy
#
@ -91958,6 +92090,8 @@ index cc58e35..4f35a1b 100644
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_append_user_home_content_files(spamc_t)
+spamassassin_filetrans_home_content(spamc_t)
+spamassassin_filetrans_admin_home_content(spamc_t)
+# for /root/.pyzor
+allow spamc_t self:capability dac_override;
@ -91965,6 +92099,9 @@ index cc58e35..4f35a1b 100644
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@ -92035,7 +92172,7 @@ index cc58e35..4f35a1b 100644
optional_policy(`
abrt_stream_connect(spamc_t)
@@ -243,6 +337,7 @@ optional_policy(`
@@ -243,6 +342,7 @@ optional_policy(`
')
optional_policy(`
@ -92043,7 +92180,7 @@ index cc58e35..4f35a1b 100644
evolution_stream_connect(spamc_t)
')
@@ -251,10 +346,16 @@ optional_policy(`
@@ -251,10 +351,16 @@ optional_policy(`
')
optional_policy(`
@ -92061,7 +92198,7 @@ index cc58e35..4f35a1b 100644
sendmail_stub(spamc_t)
')
@@ -267,36 +368,38 @@ optional_policy(`
@@ -267,36 +373,38 @@ optional_policy(`
########################################
#
@ -92088,17 +92225,17 @@ index cc58e35..4f35a1b 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
-
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@ -92117,7 +92254,7 @@ index cc58e35..4f35a1b 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@ -92127,7 +92264,7 @@ index cc58e35..4f35a1b 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@ -92143,7 +92280,7 @@ index cc58e35..4f35a1b 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@ -92247,7 +92384,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
@@ -421,21 +507,13 @@ optional_policy(`
@@ -421,21 +512,13 @@ optional_policy(`
')
optional_policy(`
@ -92271,7 +92408,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
@@ -443,8 +521,8 @@ optional_policy(`
@@ -443,8 +526,8 @@ optional_policy(`
')
optional_policy(`
@ -92281,7 +92418,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
@@ -455,7 +533,17 @@ optional_policy(`
@@ -455,7 +538,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@ -92300,7 +92437,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
@@ -463,9 +551,9 @@ optional_policy(`
@@ -463,9 +556,9 @@ optional_policy(`
')
optional_policy(`
@ -92311,7 +92448,7 @@ index cc58e35..4f35a1b 100644
')
optional_policy(`
@@ -474,32 +562,32 @@ optional_policy(`
@@ -474,32 +567,32 @@ optional_policy(`
########################################
#
@ -92354,7 +92491,7 @@ index cc58e35..4f35a1b 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@ -97873,7 +98010,7 @@ index 9b95c3e..a892845 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
index de35e5f..436d24c 100644
index de35e5f..51f2763 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
@ -97894,8 +98031,9 @@ index de35e5f..436d24c 100644
-files_read_etc_files(ulogd_t)
-files_read_usr_files(ulogd_t)
-
-miscfiles_read_localization(ulogd_t)
+kernel_request_load_module(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
@ -101214,7 +101352,7 @@ index facdee8..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..a26950d 100644
index f03dcf5..0b4a6fa 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,212 @@
@ -102678,7 +102816,7 @@ index f03dcf5..a26950d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -102912,21 +103050,25 @@ index f03dcf5..a26950d 100644
+')
+
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+ gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+ udev_read_pid_files(svirt_sandbox_domain)
+ ssh_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@ -102991,12 +103133,12 @@ index f03dcf5..a26950d 100644
+', `
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
+
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+dev_read_sysfs(svirt_lxc_net_t)
@ -103073,7 +103215,8 @@ index f03dcf5..a26950d 100644
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@ -103085,8 +103228,7 @@ index f03dcf5..a26950d 100644
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
+
+term_pty(svirt_sandbox_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@ -103115,7 +103257,7 @@ index f03dcf5..a26950d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -103130,7 +103272,7 @@ index f03dcf5..a26950d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1456,8 @@ optional_policy(`
@@ -1192,9 +1460,8 @@ optional_policy(`
########################################
#
@ -103141,7 +103283,7 @@ index f03dcf5..a26950d 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t)
@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -103360,8 +103502,6 @@ index f03dcf5..a26950d 100644
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
+
+
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te

View File

@ -590,6 +590,25 @@ SELinux Reference policy mls base module.
%changelog
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-52
- More rules for gears and openshift
- Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
- Add gear fixes from dwalsh