- Add kernel_mounton_messages() interface

- init wants to manage lock files for iscsi
- Add support for dey_sapi port
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- drbdadm executes drbdmeta
- Added osad policy
- Allow postfix to deliver to procmail
- Allow vmtools to execute /usr/bin/lsb_release
- Allow geoclue to read /etc/passwd
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
This commit is contained in:
Miroslav Grepl 2014-02-05 08:52:08 +01:00
parent 4cde844b7e
commit fc059db54d
3 changed files with 1155 additions and 551 deletions

View File

@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..51daa72 100644
index b191055..b60c687 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5497,7 +5497,7 @@ index b191055..51daa72 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0)
@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@ -5521,7 +5521,11 @@ index b191055..51daa72 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
@@ -119,20 +143,28 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
+network_port(dey_sapi, tcp,4330,s0)
network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@ -5552,7 +5556,7 @@ index b191055..51daa72 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
@@ -140,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5619,7 +5623,7 @@ index b191055..51daa72 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@ -5659,7 +5663,7 @@ index b191055..51daa72 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@ -5712,7 +5716,7 @@ index b191055..51daa72 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -5723,7 +5727,7 @@ index b191055..51daa72 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -5736,7 +5740,7 @@ index b191055..51daa72 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@ -5763,7 +5767,7 @@ index b191055..51daa72 100644
########################################
#
@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5772,7 +5776,7 @@ index b191055..51daa72 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -14917,7 +14921,7 @@ index 7be4ddf..d5ef507 100644
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..6f745f0 100644
index e100d88..ee4c057 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@ -15031,7 +15035,33 @@ index e100d88..6f745f0 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
########################################
## <summary>
+## Allow caller to read kernel messages
+## using the /proc/kmsg interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_messages',`
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ ')
+
+ allow $1 proc_kmsg_t:dir mounton;
+')
+
+########################################
+## <summary>
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@ -15056,7 +15086,7 @@ index e100d88..6f745f0 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1750,16 +1820,9 @@ interface(`kernel_rw_unix_sysctls',`
@@ -1750,16 +1839,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -15074,7 +15104,7 @@ index e100d88..6f745f0 100644
')
########################################
@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',`
@@ -1771,16 +1853,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -15092,7 +15122,7 @@ index e100d88..6f745f0 100644
')
########################################
@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',`
@@ -1792,16 +1867,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -15110,7 +15140,7 @@ index e100d88..6f745f0 100644
')
########################################
@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',`
@@ -1813,16 +1881,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -15128,7 +15158,7 @@ index e100d88..6f745f0 100644
')
########################################
@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
@@ -2085,7 +2146,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@ -15137,7 +15167,7 @@ index e100d88..6f745f0 100644
')
########################################
@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',`
@@ -2282,6 +2343,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@ -15163,7 +15193,7 @@ index e100d88..6f745f0 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',`
@@ -2306,7 +2386,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@ -15172,7 +15202,7 @@ index e100d88..6f745f0 100644
## </summary>
## </param>
#
@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
@@ -2488,6 +2568,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@ -15197,7 +15227,7 @@ index e100d88..6f745f0 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
@@ -2525,6 +2623,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@ -15222,7 +15252,7 @@ index e100d88..6f745f0 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
@@ -2667,6 +2783,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@ -15247,7 +15277,7 @@ index e100d88..6f745f0 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
@@ -2694,6 +2828,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@ -15273,7 +15303,7 @@ index e100d88..6f745f0 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
@@ -2803,6 +2956,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@ -15307,7 +15337,7 @@ index e100d88..6f745f0 100644
########################################
## <summary>
@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
@@ -2958,6 +3138,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@ -15332,7 +15362,7 @@ index e100d88..6f745f0 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',`
@@ -2972,5 +3170,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@ -29278,7 +29308,7 @@ index 79a45f6..9a14d49 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..fdd335a 100644
index 17eda24..17932ac 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29526,7 +29556,7 @@ index 17eda24..fdd335a 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
@@ -186,29 +286,212 @@ ifdef(`distro_gentoo',`
@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@ -29571,6 +29601,7 @@ index 17eda24..fdd335a 100644
+
+optional_policy(`
+ iscsi_read_lib_files(init_t)
+ iscsi_manage_lock(init_t)
+')
+
+optional_policy(`
@ -29747,7 +29778,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -216,7 +499,30 @@ optional_policy(`
@@ -216,7 +500,30 @@ optional_policy(`
')
optional_policy(`
@ -29778,7 +29809,7 @@ index 17eda24..fdd335a 100644
')
########################################
@@ -225,9 +531,9 @@ optional_policy(`
@@ -225,9 +532,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -29790,7 +29821,7 @@ index 17eda24..fdd335a 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -258,12 +564,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -29807,7 +29838,7 @@ index 17eda24..fdd335a 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +589,36 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -29850,7 +29881,7 @@ index 17eda24..fdd335a 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +626,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@ -29862,7 +29893,7 @@ index 17eda24..fdd335a 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -313,8 +638,10 @@ dev_write_framebuffer(initrc_t)
@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@ -29873,7 +29904,7 @@ index 17eda24..fdd335a 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -322,8 +649,7 @@ dev_manage_generic_files(initrc_t)
@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -29883,7 +29914,7 @@ index 17eda24..fdd335a 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -332,7 +658,6 @@ domain_sigstop_all_domains(initrc_t)
@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@ -29891,7 +29922,7 @@ index 17eda24..fdd335a 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -340,6 +665,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@ -29899,7 +29930,7 @@ index 17eda24..fdd335a 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -347,14 +673,15 @@ files_getattr_all_symlinks(initrc_t)
@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -29917,7 +29948,7 @@ index 17eda24..fdd335a 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
@@ -364,8 +691,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -29931,7 +29962,7 @@ index 17eda24..fdd335a 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -375,10 +706,11 @@ fs_mount_all_fs(initrc_t)
@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -29945,7 +29976,7 @@ index 17eda24..fdd335a 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
@@ -387,8 +719,10 @@ mls_process_read_up(initrc_t)
@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -29956,7 +29987,7 @@ index 17eda24..fdd335a 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +732,7 @@ term_use_all_terms(initrc_t)
@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@ -29964,7 +29995,7 @@ index 17eda24..fdd335a 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -416,20 +751,18 @@ logging_read_all_logs(initrc_t)
@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@ -29988,7 +30019,7 @@ index 17eda24..fdd335a 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +784,6 @@ ifdef(`distro_gentoo',`
@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@ -29996,7 +30027,7 @@ index 17eda24..fdd335a 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
@@ -486,6 +818,10 @@ ifdef(`distro_gentoo',`
@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@ -30007,7 +30038,7 @@ index 17eda24..fdd335a 100644
alsa_read_lib(initrc_t)
')
@@ -506,7 +842,7 @@ ifdef(`distro_redhat',`
@@ -506,7 +843,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -30016,7 +30047,7 @@ index 17eda24..fdd335a 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -521,6 +857,7 @@ ifdef(`distro_redhat',`
@@ -521,6 +858,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@ -30024,7 +30055,7 @@ index 17eda24..fdd335a 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -541,6 +878,7 @@ ifdef(`distro_redhat',`
@@ -541,6 +879,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@ -30032,7 +30063,7 @@ index 17eda24..fdd335a 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -550,8 +888,44 @@ ifdef(`distro_redhat',`
@@ -550,8 +889,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -30077,7 +30108,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -559,14 +933,31 @@ ifdef(`distro_redhat',`
@@ -559,14 +934,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -30109,7 +30140,7 @@ index 17eda24..fdd335a 100644
')
')
@@ -577,6 +968,39 @@ ifdef(`distro_suse',`
@@ -577,6 +969,39 @@ ifdef(`distro_suse',`
')
')
@ -30149,7 +30180,7 @@ index 17eda24..fdd335a 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1013,8 @@ optional_policy(`
@@ -589,6 +1014,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -30158,7 +30189,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -610,6 +1036,7 @@ optional_policy(`
@@ -610,6 +1037,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -30166,7 +30197,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -626,6 +1053,17 @@ optional_policy(`
@@ -626,6 +1054,17 @@ optional_policy(`
')
optional_policy(`
@ -30184,7 +30215,7 @@ index 17eda24..fdd335a 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -642,9 +1080,13 @@ optional_policy(`
@@ -642,9 +1081,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -30198,7 +30229,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -657,15 +1099,11 @@ optional_policy(`
@@ -657,15 +1100,11 @@ optional_policy(`
')
optional_policy(`
@ -30216,7 +30247,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -686,6 +1124,15 @@ optional_policy(`
@@ -686,6 +1125,15 @@ optional_policy(`
')
optional_policy(`
@ -30232,7 +30263,7 @@ index 17eda24..fdd335a 100644
inn_exec_config(initrc_t)
')
@@ -726,6 +1173,7 @@ optional_policy(`
@@ -726,6 +1174,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@ -30240,7 +30271,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -743,7 +1191,13 @@ optional_policy(`
@@ -743,7 +1192,13 @@ optional_policy(`
')
optional_policy(`
@ -30255,7 +30286,7 @@ index 17eda24..fdd335a 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -766,6 +1220,10 @@ optional_policy(`
@@ -766,6 +1221,10 @@ optional_policy(`
')
optional_policy(`
@ -30266,7 +30297,7 @@ index 17eda24..fdd335a 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -775,10 +1233,20 @@ optional_policy(`
@@ -775,10 +1234,20 @@ optional_policy(`
')
optional_policy(`
@ -30287,7 +30318,7 @@ index 17eda24..fdd335a 100644
quota_manage_flags(initrc_t)
')
@@ -787,6 +1255,10 @@ optional_policy(`
@@ -787,6 +1256,10 @@ optional_policy(`
')
optional_policy(`
@ -30298,7 +30329,7 @@ index 17eda24..fdd335a 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -808,8 +1280,6 @@ optional_policy(`
@@ -808,8 +1281,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -30307,7 +30338,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -818,6 +1288,10 @@ optional_policy(`
@@ -818,6 +1289,10 @@ optional_policy(`
')
optional_policy(`
@ -30318,7 +30349,7 @@ index 17eda24..fdd335a 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
@@ -827,10 +1301,12 @@ optional_policy(`
@@ -827,10 +1302,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@ -30331,7 +30362,7 @@ index 17eda24..fdd335a 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1333,60 @@ optional_policy(`
@@ -857,21 +1334,60 @@ optional_policy(`
')
optional_policy(`
@ -30393,7 +30424,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
@@ -887,6 +1402,10 @@ optional_policy(`
@@ -887,6 +1403,10 @@ optional_policy(`
')
optional_policy(`
@ -30404,7 +30435,7 @@ index 17eda24..fdd335a 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1416,218 @@ optional_policy(`
@@ -897,3 +1417,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -32364,7 +32395,7 @@ index b50c5fe..e55a556 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884..6118015 100644
index 4e94884..b144ffe 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -32516,12 +32547,19 @@ index 4e94884..6118015 100644
+interface(`logging_read_syslog_pid',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
')
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
- allow $1 devlog_t:sock_file write_sock_file_perms;
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
+
- # the type of socket depends on the syslog daemon
- allow $1 syslogd_t:unix_dgram_socket sendto;
- allow $1 syslogd_t:unix_stream_socket connectto;
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+## <summary>
+## Relabel the syslog pid sock_file.
@ -32535,18 +32573,15 @@ index 4e94884..6118015 100644
+interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(`
+ type syslogd_var_run_t;
')
+ ')
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
- allow $1 devlog_t:sock_file write_sock_file_perms;
- # If syslog is down, the glibc syslog() function
- # will write to the console.
- term_write_console($1)
- term_dontaudit_read_console($1)
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+')
- # the type of socket depends on the syslog daemon
- allow $1 syslogd_t:unix_dgram_socket sendto;
- allow $1 syslogd_t:unix_stream_socket connectto;
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 self:unix_stream_socket create_socket_perms;
+
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@ -32561,11 +32596,7 @@ index 4e94884..6118015 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
- # If syslog is down, the glibc syslog() function
- # will write to the console.
- term_write_console($1)
- term_dontaudit_read_console($1)
+
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
@ -32808,13 +32839,32 @@ index 4e94884..6118015 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1085,3 +1380,35 @@ interface(`logging_admin',`
@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+########################################
+## <summary>
+## Transition to syslog.conf
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_filetrans_named_conf',`
+ gen_require(`
+ type syslog_conf_t;
+ ')
+
+ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
+')
+
+########################################
+## <summary>
+## Transition to logging named content
+## </summary>
+## <param name="domain">

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 20%{?dist}
Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -578,6 +578,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-21
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
- Add support for dey_sapi port
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- drbdadm executes drbdmeta
- Added osad policy
- Allow postfix to deliver to procmail
- Allow vmtools to execute /usr/bin/lsb_release
- Allow geoclue to read /etc/passwd
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
* Thu Jan 30 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-20
- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
- Allow geoclue to create temporary files/dirs in /tmp