* Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138

- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
-  httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
This commit is contained in:
Lukas Vrabec 2015-07-20 18:37:28 +02:00
parent 57b06e2ca9
commit e5e6b1ee54
3 changed files with 301 additions and 158 deletions

View File

@ -9698,7 +9698,7 @@ index cf04cb5..ed54d58 100644
+ unconfined_server_stream_connect(domain) + unconfined_server_stream_connect(domain)
+') +')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b876c48..6bfb954 100644 index b876c48..a351aff 100644
--- a/policy/modules/kernel/files.fc --- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -9908,7 +9908,7 @@ index b876c48..6bfb954 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
') ')
@@ -229,7 +243,7 @@ ifndef(`distro_redhat',` @@ -229,19 +243,34 @@ ifndef(`distro_redhat',`
# #
# /var # /var
# #
@ -9917,7 +9917,8 @@ index b876c48..6bfb954 100644
/var/.* gen_context(system_u:object_r:var_t,s0) /var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>> /var/\.journal <<none>>
@@ -237,11 +251,25 @@ ifndef(`distro_redhat',` +/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0)
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@ -9944,7 +9945,7 @@ index b876c48..6bfb954 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>> /var/log/lost\+found/.* <<none>>
@@ -256,12 +284,14 @@ ifndef(`distro_redhat',` @@ -256,12 +285,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>> /var/run/.*\.*pid <<none>>
@ -9959,7 +9960,7 @@ index b876c48..6bfb954 100644
/var/tmp/.* <<none>> /var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>> /var/tmp/lost\+found/.* <<none>>
@@ -271,3 +301,5 @@ ifdef(`distro_debian',` @@ -271,3 +302,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
') ')

View File

@ -5208,7 +5208,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index 6649962..4516b9a 100644 index 6649962..e98b712 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -5896,7 +5896,7 @@ index 6649962..4516b9a 100644
logging_log_filetrans(httpd_t, httpd_log_t, file) logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms; allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,14 +529,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -412,13 +529,20 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -5908,16 +5908,16 @@ index 6649962..4516b9a 100644
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_suexec_exec_t:process { signal signull }; -allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_suexec_exec_t:file read_file_perms; +allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms;
+
+allow httpd_t httpd_sys_content_t:dir list_dir_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -19712,7 +19712,7 @@ index b25b01d..6b7d687 100644
') ')
+ +
diff --git a/ctdb.te b/ctdb.te diff --git a/ctdb.te b/ctdb.te
index 001b502..28bb02c 100644 index 001b502..4a84c8b 100644
--- a/ctdb.te --- a/ctdb.te
+++ b/ctdb.te +++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@ -19799,17 +19799,20 @@ index 001b502..28bb02c 100644
optional_policy(` optional_policy(`
consoletype_exec(ctdbd_t) consoletype_exec(ctdbd_t)
') ')
@@ -106,9 +129,13 @@ optional_policy(` @@ -106,9 +129,16 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
+ samba_winbind_signull(ctdbd_t)
+ samba_unconfined_net_signull(ctdbd_t)
+ samba_signull_smbd(ctdbd_t) + samba_signull_smbd(ctdbd_t)
samba_initrc_domtrans(ctdbd_t) samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t) samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t) samba_rw_var_files(ctdbd_t)
+ samba_systemctl(ctdbd_t) + samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
+ samba_signull_winbind(ctdbd_t)
+ samba_signull_unconfined_net(ctdbd_t)
') ')
optional_policy(` optional_policy(`
@ -30297,7 +30300,7 @@ index 9eacb2c..7b19ad2 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1) domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te diff --git a/glance.te b/glance.te
index 5cd0909..cdba87f 100644 index 5cd0909..bd3c3d2 100644
--- a/glance.te --- a/glance.te
+++ b/glance.te +++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0) @@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
@ -30432,7 +30435,7 @@ index 5cd0909..cdba87f 100644
logging_send_syslog_msg(glance_registry_t) logging_send_syslog_msg(glance_registry_t)
@@ -108,13 +157,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) @@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t) can_exec(glance_api_t, glance_tmp_t)
@ -30474,6 +30477,7 @@ index 5cd0909..cdba87f 100644
+# Scrubber local policy +# Scrubber local policy
+# +#
+ +
+corenet_tcp_connect_commplex_main_port(glance_scrubber_t)
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t) +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644 new file mode 100644
@ -30750,10 +30754,10 @@ index 0000000..fc9bf19
+ +
diff --git a/glusterd.te b/glusterd.te diff --git a/glusterd.te b/glusterd.te
new file mode 100644 new file mode 100644
index 0000000..918eb52 index 0000000..bd8ad23
--- /dev/null --- /dev/null
+++ b/glusterd.te +++ b/glusterd.te
@@ -0,0 +1,277 @@ @@ -0,0 +1,286 @@
+policy_module(glusterfs, 1.1.2) +policy_module(glusterfs, 1.1.2)
+ +
+## <desc> +## <desc>
@ -31023,6 +31027,15 @@ index 0000000..918eb52
+') +')
+ +
+optional_policy(` +optional_policy(`
+ rpc_systemctl_nfsd(glusterd_t)
+ rpc_systemctl_rpcd(glusterd_t)
+
+ rpc_domtrans_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
+')
+
+optional_policy(`
+ rhcs_dbus_chat_cluster(glusterd_t) + rhcs_dbus_chat_cluster(glusterd_t)
+ rhcs_domtrans_cluster(glusterd_t) + rhcs_domtrans_cluster(glusterd_t)
+ rhcs_systemctl_cluster(glusterd_t) + rhcs_systemctl_cluster(glusterd_t)
@ -37266,7 +37279,7 @@ index ca020fa..d4ed777 100644
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
+') +')
diff --git a/isns.te b/isns.te diff --git a/isns.te b/isns.te
index bc11034..07e6310 100644 index bc11034..183c526 100644
--- a/isns.te --- a/isns.te
+++ b/isns.te +++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
@ -37277,7 +37290,17 @@ index bc11034..07e6310 100644
allow isnsd_t self:udp_socket { accept listen }; allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen }; allow isnsd_t self:unix_stream_socket { accept listen };
@@ -46,10 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) @@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file })
+kernel_read_system_state(isnsd_t)
+kernel_read_network_state(isnsd_t)
+
corenet_all_recvfrom_unlabeled(isnsd_t)
corenet_all_recvfrom_netlabel(isnsd_t)
corenet_tcp_sendrecv_generic_if(isnsd_t)
@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t)
@ -39279,10 +39302,10 @@ index 0000000..bd7e7fa
+') +')
diff --git a/keepalived.te b/keepalived.te diff --git a/keepalived.te b/keepalived.te
new file mode 100644 new file mode 100644
index 0000000..1a78c67 index 0000000..20adcb3
--- /dev/null --- /dev/null
+++ b/keepalived.te +++ b/keepalived.te
@@ -0,0 +1,89 @@ @@ -0,0 +1,90 @@
+policy_module(keepalived, 1.0.0) +policy_module(keepalived, 1.0.0)
+ +
+######################################## +########################################
@ -39320,6 +39343,7 @@ index 0000000..1a78c67
+ +
+kernel_read_system_state(keepalived_t) +kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t) +kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
+ +
+auth_use_nsswitch(keepalived_t) +auth_use_nsswitch(keepalived_t)
+ +
@ -39373,10 +39397,10 @@ index 0000000..1a78c67
+ ') + ')
+') +')
diff --git a/kerberos.fc b/kerberos.fc diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..b05128a 100644 index 4fe75fd..b9f07ae 100644
--- a/kerberos.fc --- a/kerberos.fc
+++ b/kerberos.fc +++ b/kerberos.fc
@@ -1,52 +1,50 @@ @@ -1,52 +1,52 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@ -39414,33 +39438,25 @@ index 4fe75fd..b05128a 100644
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) -
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0) -
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
- -
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) -/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
@ -39455,7 +39471,18 @@ index 4fe75fd..b05128a 100644
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
+
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/kadmin_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/kiprop_0 -- gen_context(system_u:object_r:krb5kdc_tmp_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@ -40175,7 +40202,7 @@ index f6c00d8..7b777ab 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55") + kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
') ')
diff --git a/kerberos.te b/kerberos.te diff --git a/kerberos.te b/kerberos.te
index 8833d59..61910d0 100644 index 8833d59..462e466 100644
--- a/kerberos.te --- a/kerberos.te
+++ b/kerberos.te +++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@ -40226,7 +40253,7 @@ index 8833d59..61910d0 100644
type krb5kdc_principal_t; type krb5kdc_principal_t;
files_type(krb5kdc_principal_t) files_type(krb5kdc_principal_t)
@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t) @@ -74,28 +78,33 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy # kadmind local policy
# #
@ -40259,12 +40286,14 @@ index 8833d59..61910d0 100644
allow kadmind_t krb5kdc_principal_t:file manage_file_perms; allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+allow kadmind_t krb5_keytab_t:file read_file_perms;
+
+can_exec(kadmind_t, kadmind_exec_t) +can_exec(kadmind_t, kadmind_exec_t)
+ +
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) @@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@ -40283,7 +40312,7 @@ index 8833d59..61910d0 100644
corenet_all_recvfrom_netlabel(kadmind_t) corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t) corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t) corenet_udp_sendrecv_generic_if(kadmind_t)
@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) @@ -119,31 +130,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t) corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t)
@ -40297,6 +40326,7 @@ index 8833d59..61910d0 100644
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) +corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t) +corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+corenet_tcp_bind_kprop_port(kadmind_t)
+corenet_tcp_connect_kprop_port(kadmind_t) +corenet_tcp_connect_kprop_port(kadmind_t)
dev_read_sysfs(kadmind_t) dev_read_sysfs(kadmind_t)
@ -40309,7 +40339,7 @@ index 8833d59..61910d0 100644
domain_use_interactive_fds(kadmind_t) domain_use_interactive_fds(kadmind_t)
-files_read_etc_files(kadmind_t) files_read_etc_files(kadmind_t)
-files_read_usr_files(kadmind_t) -files_read_usr_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t) +files_read_usr_symlinks(kadmind_t)
files_read_var_files(kadmind_t) files_read_var_files(kadmind_t)
@ -40320,8 +40350,8 @@ index 8833d59..61910d0 100644
+ +
logging_send_syslog_msg(kadmind_t) logging_send_syslog_msg(kadmind_t)
-miscfiles_read_localization(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t) +miscfiles_read_generic_certs(kadmind_t)
miscfiles_read_localization(kadmind_t)
+seutil_read_config(kadmind_t) +seutil_read_config(kadmind_t)
seutil_read_file_contexts(kadmind_t) seutil_read_file_contexts(kadmind_t)
@ -40330,7 +40360,7 @@ index 8833d59..61910d0 100644
sysnet_use_ldap(kadmind_t) sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
@@ -154,11 +173,16 @@ optional_policy(` @@ -154,11 +178,16 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -40347,7 +40377,7 @@ index 8833d59..61910d0 100644
') ')
optional_policy(` optional_policy(`
@@ -174,24 +198,27 @@ optional_policy(` @@ -174,24 +203,27 @@ optional_policy(`
# Krb5kdc local policy # Krb5kdc local policy
# #
@ -40379,7 +40409,7 @@ index 8833d59..61910d0 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
@@ -201,71 +228,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) @@ -201,71 +233,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@ -40471,7 +40501,7 @@ index 8833d59..61910d0 100644
') ')
optional_policy(` optional_policy(`
@@ -273,6 +305,10 @@ optional_policy(` @@ -273,6 +310,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -40482,7 +40512,7 @@ index 8833d59..61910d0 100644
udev_read_db(krb5kdc_t) udev_read_db(krb5kdc_t)
') ')
@@ -281,10 +317,12 @@ optional_policy(` @@ -281,10 +322,12 @@ optional_policy(`
# kpropd local policy # kpropd local policy
# #
@ -40498,7 +40528,7 @@ index 8833d59..61910d0 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms; allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
@@ -301,27 +339,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) @@ -301,27 +344,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
@ -43322,7 +43352,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
diff --git a/logrotate.te b/logrotate.te diff --git a/logrotate.te b/logrotate.te
index be0ab84..2de18e1 100644 index be0ab84..ce57aac 100644
--- a/logrotate.te --- a/logrotate.te
+++ b/logrotate.te +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -43541,7 +43571,7 @@ index be0ab84..2de18e1 100644
') ')
optional_policy(` optional_policy(`
@@ -198,21 +250,26 @@ optional_policy(` @@ -198,17 +250,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -43559,20 +43589,26 @@ index be0ab84..2de18e1 100644
optional_policy(` optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo") - polipo_log_filetrans_log(logrotate_t, file, "polipo")
+ psad_domtrans(logrotate_t) + prosody_stream_connect(logrotate_t)
')
optional_policy(`
@@ -216,6 +269,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
- psad_domtrans(logrotate_t)
+ rabbitmq_domtrans(logrotate_t) + rabbitmq_domtrans(logrotate_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
+ raid_domtrans_mdadm(logrotate_t) + raid_domtrans_mdadm(logrotate_t)
+')
+
+optional_policy(`
samba_exec_log(logrotate_t)
') ')
optional_policy(` @@ -228,26 +289,43 @@ optional_policy(`
@@ -228,26 +285,43 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -44200,7 +44236,7 @@ index d314333..27ede09 100644
+ ') + ')
') ')
diff --git a/lsm.te b/lsm.te diff --git a/lsm.te b/lsm.te
index 4ec0eea..03b7f8b 100644 index 4ec0eea..0c195ed 100644
--- a/lsm.te --- a/lsm.te
+++ b/lsm.te +++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@ -44235,10 +44271,12 @@ index 4ec0eea..03b7f8b 100644
######################################## ########################################
# #
# Local policy # Local policy
@@ -26,4 +44,59 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) @@ -26,4 +44,61 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+auth_use_nsswitch(lsmd_t)
+
+corecmd_exec_bin(lsmd_t) +corecmd_exec_bin(lsmd_t)
+corecmd_getattr_all_executables(lsmd_t) +corecmd_getattr_all_executables(lsmd_t)
+ +
@ -56077,7 +56115,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
') ')
diff --git a/networkmanager.te b/networkmanager.te diff --git a/networkmanager.te b/networkmanager.te
index 55f2009..35ca860 100644 index 55f2009..e6182a2 100644
--- a/networkmanager.te --- a/networkmanager.te
+++ b/networkmanager.te +++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t; @@ -9,15 +9,18 @@ type NetworkManager_t;
@ -56461,7 +56499,7 @@ index 55f2009..35ca860 100644
') ')
optional_policy(` optional_policy(`
@@ -320,14 +401,20 @@ optional_policy(` @@ -320,14 +401,21 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -56471,6 +56509,7 @@ index 55f2009..35ca860 100644
+ systemd_write_inhibit_pipes(NetworkManager_t) + systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t)
+ systemd_dbus_chat_hostnamed(NetworkManager_t)
+ systemd_hostnamed_manage_config(NetworkManager_t) + systemd_hostnamed_manage_config(NetworkManager_t)
') ')
@ -56487,7 +56526,7 @@ index 55f2009..35ca860 100644
') ')
optional_policy(` optional_policy(`
@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru @@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t) init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t) init_use_script_ptys(wpa_cli_t)
@ -61967,10 +62006,10 @@ index 0000000..c20cac3
+') +')
diff --git a/openshift.te b/openshift.te diff --git a/openshift.te b/openshift.te
new file mode 100644 new file mode 100644
index 0000000..69697c7 index 0000000..c8e810c
--- /dev/null --- /dev/null
+++ b/openshift.te +++ b/openshift.te
@@ -0,0 +1,630 @@ @@ -0,0 +1,634 @@
+policy_module(openshift,1.0.0) +policy_module(openshift,1.0.0)
+ +
+gen_require(` +gen_require(`
@ -62111,6 +62150,10 @@ index 0000000..69697c7
+init_domtrans_script(openshift_initrc_t) +init_domtrans_script(openshift_initrc_t)
+init_initrc_domain(openshift_initrc_t) +init_initrc_domain(openshift_initrc_t)
+ +
+optional_policy(`
+ firewalld_dbus_chat(openshift_initrc_t)
+')
+
+####################################################### +#######################################################
+# +#
+# Policy for all openshift domains +# Policy for all openshift domains
@ -65423,14 +65466,15 @@ index 1fb1964..5212cd2 100644
+') +')
+ +
diff --git a/pegasus.fc b/pegasus.fc diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..d40433a 100644 index dfd46e4..747aa2a 100644
--- a/pegasus.fc --- a/pegasus.fc
+++ b/pegasus.fc +++ b/pegasus.fc
@@ -1,15 +1,32 @@ @@ -1,15 +1,33 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+ +
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+/etc/mdadm\.conf\.anacbak gen_context(system_u:object_r:pegasus_conf_t,s0)
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
@ -65569,7 +65613,7 @@ index d2fc677..86dce34 100644
') ')
+ +
diff --git a/pegasus.te b/pegasus.te diff --git a/pegasus.te b/pegasus.te
index 608f454..251160b 100644 index 608f454..3e3fd3d 100644
--- a/pegasus.te --- a/pegasus.te
+++ b/pegasus.te +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -65588,7 +65632,7 @@ index 608f454..251160b 100644
type pegasus_cache_t; type pegasus_cache_t;
files_type(pegasus_cache_t) files_type(pegasus_cache_t)
@@ -30,20 +29,326 @@ files_type(pegasus_mof_t) @@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t; type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t) files_pid_file(pegasus_var_run_t)
@ -65745,9 +65789,13 @@ index 608f454..251160b 100644
+ +
+kernel_read_network_state(pegasus_openlmi_system_t) +kernel_read_network_state(pegasus_openlmi_system_t)
+ +
+auth_use_nsswitch(pegasus_openlmi_system_t)
+
+dev_rw_sysfs(pegasus_openlmi_system_t) +dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t) +dev_read_urand(pegasus_openlmi_system_t)
+ +
+fs_getattr_all_fs(pegasus_openlmi_system_t)
+
+init_read_utmp(pegasus_openlmi_system_t) +init_read_utmp(pegasus_openlmi_system_t)
+ +
+systemd_config_power_services(pegasus_openlmi_system_t) +systemd_config_power_services(pegasus_openlmi_system_t)
@ -65819,6 +65867,9 @@ index 608f454..251160b 100644
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t) +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage") +files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
+ +
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_conf_t, pegasus_conf_t)
+files_etc_filetrans(pegasus_openlmi_storage_t, pegasus_conf_t, file, "mdadm.conf.anacbak" )
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t) +kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_read_network_state(pegasus_openlmi_storage_t) +kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
@ -65860,6 +65911,10 @@ index 608f454..251160b 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ gnome_dontaudit_search_config(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ fstools_domtrans(pegasus_openlmi_storage_t) + fstools_domtrans(pegasus_openlmi_storage_t)
+') +')
+ +
@ -65920,7 +65975,7 @@ index 608f454..251160b 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +359,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) @@ -54,22 +370,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -65951,7 +66006,7 @@ index 608f454..251160b 100644
kernel_read_network_state(pegasus_t) kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t) kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +385,21 @@ kernel_read_net_sysctls(pegasus_t) @@ -80,27 +396,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t) kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t)
@ -65984,7 +66039,7 @@ index 608f454..251160b 100644
corecmd_exec_bin(pegasus_t) corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t) corecmd_exec_shell(pegasus_t)
@@ -114,9 +413,11 @@ files_getattr_all_dirs(pegasus_t) @@ -114,9 +424,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t) auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t) auth_domtrans_chk_passwd(pegasus_t)
@ -65996,7 +66051,7 @@ index 608f454..251160b 100644
files_list_var_lib(pegasus_t) files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t) files_read_var_lib_files(pegasus_t)
@@ -128,18 +429,29 @@ init_stream_connect_script(pegasus_t) @@ -128,18 +440,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t) logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t) logging_send_syslog_msg(pegasus_t)
@ -66014,10 +66069,7 @@ index 608f454..251160b 100644
- dbus_connect_system_bus(pegasus_t) - dbus_connect_system_bus(pegasus_t)
+ dmidecode_domtrans(pegasus_t) + dmidecode_domtrans(pegasus_t)
+') +')
+
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(pegasus_t) + dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t) + dbus_connect_system_bus(pegasus_t)
@ -66026,13 +66078,16 @@ index 608f454..251160b 100644
+ networkmanager_dbus_chat(pegasus_t) + networkmanager_dbus_chat(pegasus_t)
+ ') + ')
+') +')
+
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
+optional_policy(` +optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t) + rhcs_stream_connect_cluster(pegasus_t)
') ')
optional_policy(` optional_policy(`
@@ -151,16 +463,24 @@ optional_policy(` @@ -151,16 +474,24 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -66061,7 +66116,7 @@ index 608f454..251160b 100644
') ')
optional_policy(` optional_policy(`
@@ -168,7 +488,7 @@ optional_policy(` @@ -168,7 +499,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -66070,7 +66125,7 @@ index 608f454..251160b 100644
') ')
optional_policy(` optional_policy(`
@@ -180,6 +500,7 @@ optional_policy(` @@ -180,6 +511,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -73436,10 +73491,10 @@ index 0000000..c056a2f
+/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0) +/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0)
diff --git a/prosody.if b/prosody.if diff --git a/prosody.if b/prosody.if
new file mode 100644 new file mode 100644
index 0000000..44ed5ad index 0000000..8231f4f
--- /dev/null --- /dev/null
+++ b/prosody.if +++ b/prosody.if
@@ -0,0 +1,235 @@ @@ -0,0 +1,255 @@
+ +
+## <summary>policy for prosody</summary> +## <summary>policy for prosody</summary>
+ +
@ -73609,6 +73664,26 @@ index 0000000..44ed5ad
+ roleattribute $2 prosody_roles; + roleattribute $2 prosody_roles;
+') +')
+ +
+######################################
+## <summary>
+## Connect to prosody with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prosody_stream_connect',`
+ gen_require(`
+ type prosody_t, prosody_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t)
+')
+
+######################################## +########################################
+## <summary> +## <summary>
+## Role access for prosody +## Role access for prosody
@ -73677,10 +73752,10 @@ index 0000000..44ed5ad
+') +')
diff --git a/prosody.te b/prosody.te diff --git a/prosody.te b/prosody.te
new file mode 100644 new file mode 100644
index 0000000..f48f1b9 index 0000000..d531fa5
--- /dev/null --- /dev/null
+++ b/prosody.te +++ b/prosody.te
@@ -0,0 +1,85 @@ @@ -0,0 +1,92 @@
+policy_module(prosody, 1.0.0) +policy_module(prosody, 1.0.0)
+ +
+######################################## +########################################
@ -73709,6 +73784,9 @@ index 0000000..f48f1b9
+type prosody_var_run_t; +type prosody_var_run_t;
+files_pid_file(prosody_var_run_t) +files_pid_file(prosody_var_run_t)
+ +
+type prosody_tmp_t;
+files_tmp_file(prosody_tmp_t)
+
+type prosody_unit_file_t; +type prosody_unit_file_t;
+systemd_unit_file(prosody_unit_file_t) +systemd_unit_file(prosody_unit_file_t)
+ +
@ -73735,6 +73813,10 @@ index 0000000..f48f1b9
+setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t) +setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+logging_log_filetrans(prosody_t, prosody_log_t, { file dir }) +logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
+ +
+manage_dirs_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+manage_files_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+files_tmp_filetrans(prosody_t, prosody_tmp_t, { dir file })
+
+can_exec(prosody_t, prosody_exec_t) +can_exec(prosody_t, prosody_exec_t)
+ +
+kernel_read_system_state(prosody_t) +kernel_read_system_state(prosody_t)
@ -77705,7 +77787,7 @@ index fe2adf8..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t) + admin_pattern($1, qpidd_var_run_t)
') ')
diff --git a/qpid.te b/qpid.te diff --git a/qpid.te b/qpid.te
index 83eb09e..fc17eee 100644 index 83eb09e..9f4739c 100644
--- a/qpid.te --- a/qpid.te
+++ b/qpid.te +++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@ -77718,7 +77800,7 @@ index 83eb09e..fc17eee 100644
type qpidd_tmpfs_t; type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t) files_tmpfs_file(qpidd_tmpfs_t)
@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms; @@ -33,41 +36,55 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen }; allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen }; allow qpidd_t self:unix_stream_socket { accept listen };
@ -77743,10 +77825,11 @@ index 83eb09e..fc17eee 100644
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
kernel_read_system_state(qpidd_t) kernel_read_system_state(qpidd_t)
+kernel_read_network_state(qpidd_t)
+
+auth_read_passwd(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t) -corenet_all_recvfrom_unlabeled(qpidd_t)
+auth_read_passwd(qpidd_t)
+
corenet_all_recvfrom_netlabel(qpidd_t) corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t)
@ -78849,7 +78932,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te diff --git a/rabbitmq.te b/rabbitmq.te
index dc3b0ed..d8858d1 100644 index dc3b0ed..b0ae2c6 100644
--- a/rabbitmq.te --- a/rabbitmq.te
+++ b/rabbitmq.te +++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@ -78883,7 +78966,7 @@ index dc3b0ed..d8858d1 100644
type rabbitmq_var_log_t; type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t) logging_log_file(rabbitmq_var_log_t)
@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t) @@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t)
###################################### ######################################
# #
@ -79029,6 +79112,7 @@ index dc3b0ed..d8858d1 100644
+corenet_tcp_bind_jabber_client_port(rabbitmq_t) +corenet_tcp_bind_jabber_client_port(rabbitmq_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_t) +corenet_tcp_bind_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_bind_rabbitmq_port(rabbitmq_t) +corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
+corenet_tcp_connect_amqp_port(rabbitmq_t)
+corenet_tcp_connect_epmd_port(rabbitmq_t) +corenet_tcp_connect_epmd_port(rabbitmq_t)
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_t) +corenet_tcp_connect_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t) +corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
@ -88900,7 +88984,7 @@ index b8b66ff..a93346e 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+') +')
diff --git a/samba.if b/samba.if diff --git a/samba.if b/samba.if
index 50d07fb..3ca1c49 100644 index 50d07fb..337a3e7 100644
--- a/samba.if --- a/samba.if
+++ b/samba.if +++ b/samba.if
@@ -1,8 +1,12 @@ @@ -1,8 +1,12 @@
@ -89418,54 +89502,44 @@ index 50d07fb..3ca1c49 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -562,47 +713,63 @@ interface(`samba_rw_smbmount_tcp_sockets',` @@ -560,49 +711,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
######################################## -########################################
+#######################################
## <summary> ## <summary>
-## Execute winbind helper in the -## Execute winbind helper in the
-## winbind helper domain. -## winbind helper domain.
+## Allow send signull to winbind +## Allow to getattr on winbind binary.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> -## <summary>
-## Domain allowed to transition. -## Domain allowed to transition.
+## Domain allowed access. -## </summary>
## </summary>
## </param>
#
-interface(`samba_domtrans_winbind_helper',`
+interface(`samba_winbind_signull',`
gen_require(`
- type winbind_helper_t, winbind_helper_exec_t;
+ type winbind_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_t:process signull;
')
#######################################
## <summary>
-## Get attributes of winbind executable files.
+## Allow to getattr on winbind binary.
+## </summary>
+## <param name="domain">
+## <summary> +## <summary>
+## Domain allowed to transition. +## Domain allowed to transition.
+## </summary> +## </summary>
+## </param> ## </param>
+# #
-interface(`samba_domtrans_winbind_helper',`
- gen_require(`
- type winbind_helper_t, winbind_helper_exec_t;
- ')
+interface(`samba_getattr_winbind',` +interface(`samba_getattr_winbind',`
+ gen_require(` + gen_require(`
+ type winbind_exec_t; + type winbind_exec_t;
+ ') + ')
+
- corecmd_search_bin($1)
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_exec_t:file getattr; + allow $1 winbind_exec_t:file getattr;
+') ')
+
-#######################################
+######################################## +########################################
+## <summary> ## <summary>
-## Get attributes of winbind executable files.
+## Execute winbind_helper in the winbind_helper domain. +## Execute winbind_helper in the winbind_helper domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -89497,7 +89571,7 @@ index 50d07fb..3ca1c49 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -618,16 +785,16 @@ interface(`samba_getattr_winbind_exec',` @@ -618,16 +767,16 @@ interface(`samba_getattr_winbind_exec',`
# #
interface(`samba_run_winbind_helper',` interface(`samba_run_winbind_helper',`
gen_require(` gen_require(`
@ -89517,18 +89591,72 @@ index 50d07fb..3ca1c49 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -637,17 +804,16 @@ interface(`samba_run_winbind_helper',` @@ -637,17 +786,71 @@ interface(`samba_run_winbind_helper',`
# #
interface(`samba_read_winbind_pid',` interface(`samba_read_winbind_pid',`
gen_require(` gen_require(`
- type winbind_var_run_t, smbd_var_run_t; - type winbind_var_run_t, smbd_var_run_t;
+ type winbind_var_run_t; + type winbind_var_run_t;
') + ')
+
- files_search_pids($1)
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ samba_search_pid($1) + samba_search_pid($1)
+ allow $1 winbind_var_run_t:file read_file_perms; + allow $1 winbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage winbind PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_manage_winbind_pid',`
+ gen_require(`
+ type winbind_var_run_t;
')
files_search_pids($1)
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t)
+ manage_files_pattern($1, winbin_var_run_t, winbind_var_run_t)
+ manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
+')
+
+######################################
+## <summary>
+## Allow domain to signull winbind
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signull_winbind',`
+ gen_require(`
+ type winbind_t;
+ ')
+ allow $1 winbind_t:process signull;
+')
+
+######################################
+## <summary>
+## Allow domain to signull samba_unconfined_net
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signull_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+ allow $1 samba_unconfined_net_t:process signull;
') ')
######################################## ########################################
@ -89539,7 +89667,7 @@ index 50d07fb..3ca1c49 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -657,17 +823,79 @@ interface(`samba_read_winbind_pid',` @@ -657,17 +860,61 @@ interface(`samba_read_winbind_pid',`
# #
interface(`samba_stream_connect_winbind',` interface(`samba_stream_connect_winbind',`
gen_require(` gen_require(`
@ -89601,30 +89729,12 @@ index 50d07fb..3ca1c49 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Allow send signull to samba_unconfined_net
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_unconfined_net_signull',`
+ gen_require(`
+ type samba_uncofined_net_t;
+ ')
+
+ allow $1 samba_uncofined_net_t:process signull;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate +## All of the rules required to administrate
+## an samba environment +## an samba environment
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -676,7 +904,7 @@ interface(`samba_stream_connect_winbind',` @@ -676,7 +923,7 @@ interface(`samba_stream_connect_winbind',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -89633,7 +89743,7 @@ index 50d07fb..3ca1c49 100644
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -689,11 +917,30 @@ interface(`samba_admin',` @@ -689,11 +936,30 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t; type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t; type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t; type winbind_var_run_t, winbind_tmp_t;
@ -89667,7 +89777,7 @@ index 50d07fb..3ca1c49 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t) init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -703,23 +950,34 @@ interface(`samba_admin',` @@ -703,23 +969,34 @@ interface(`samba_admin',`
files_list_etc($1) files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t }) admin_pattern($1, { samba_etc_t smbd_keytab_t })
@ -89678,11 +89788,11 @@ index 50d07fb..3ca1c49 100644
- files_list_var($1) - files_list_var($1)
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
+ admin_pattern($1, samba_secrets_t) + admin_pattern($1, samba_secrets_t)
+
+ admin_pattern($1, samba_share_t)
- files_list_spool($1) - files_list_spool($1)
- admin_pattern($1, smbd_spool_t) - admin_pattern($1, smbd_spool_t)
+ admin_pattern($1, samba_share_t)
+
+ admin_pattern($1, samba_var_t) + admin_pattern($1, samba_var_t)
+ files_list_var($1) + files_list_var($1)

View File

@ -645,6 +645,38 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137 * Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.