##
@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
# create child processes in the domain
-allow domain self:process { fork sigchld };
+allow domain self:process { fork getsched sigchld };
# Use trusted objects in /dev
dev_rw_null(domain)
@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
+')
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
@@ -113,8 +138,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
+ afs_rw_cache(domain)
+')
+
+optional_policy(`
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
+ libs_read_lib_files(domain)
')
optional_policy(`
@@ -125,6 +155,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
+ xserver_dontaudit_write_log(domain)
')
########################################
@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+seutil_dontaudit_read_config(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
+# these seem questionable:
+
+optional_policy(`
+ abrt_domtrans_helper(domain)
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
+ abrt_stream_connect(domain)
+')
+
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_search_log(domain)
+ rpm_append_tmp_files(domain)
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
+')
+
+optional_policy(`
+ sosreport_append_tmp_files(domain)
+')
+
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
+')
+
+optional_policy(`
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+')
+
+optional_policy(`
+ hal_dontaudit_read_pid_files(domain)
+')
+
+optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
+')
+
+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 3517db2..bd4c23d 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`distro_suse',`
@@ -64,6 +65,13 @@ ifdef(`distro_suse',`
/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
+
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -74,7 +82,8 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -95,7 +104,7 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT/\.journal <>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <>
@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.* <>
/proc -d <>
/proc/.* <>
+ifdef(`distro_redhat',`
+/rhev -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev/[^/]*/.* <>
+')
+
#
# /selinux
#
@@ -172,12 +187,6 @@ HOME_ROOT/lost\+found/.* <>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
-# /sys
-#
-/sys -d <>
-/sys/.* <>
-
-#
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.* <>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
@@ -233,6 +241,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
@@ -249,7 +259,7 @@ ifndef(`distro_redhat',`
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/.* <>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <>
@@ -258,3 +268,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..96a406d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1446,6 +1444,42 @@ interface(`files_dontaudit_search_all_mountpoints',`
########################################
##
+## Do not audit listing of all mount points.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_list_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir list_dir_perms;
+')
+
+########################################
+##
+## Write all mount points.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir write;
+')
+
+########################################
+##
## List the contents of the root directory.
##
##
@@ -2435,6 +2469,24 @@ interface(`files_delete_etc_files',`
########################################
##
+## Remove entries from the etc directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+##
## Execute generic files in /etc.
##
##
@@ -3086,6 +3138,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
+ allow $1 home_root_t:lnk_file getattr;
')
########################################
@@ -3106,6 +3159,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
+ dontaudit $1 home_root_t:lnk_file getattr;
')
########################################
@@ -3347,6 +3401,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
+######################################
+##
+## dontaudit List the contents of /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
########################################
##
## Mount a filesystem on /mnt.
@@ -3420,6 +3492,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
+######################################
+##
+## Read symbolic links in /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_mnt_symlinks',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ read_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
@@ -3711,6 +3801,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+#######################################
+##
+## Read manageable system configuration files in /etc
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+######################################
+##
+## Manage manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+##
+## Relabel manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+##
+## Relabel manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
+##
+## Create files in /etc with the type used for
+## the manageable system config files.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
########################################
##
## Allow the specified type to associate
@@ -3896,6 +4080,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
+## Allow shared library text relocations in tmp files.
+##
+##
+##
+## Allow shared library text relocations in tmp files.
+##
+##
+## This is added to support java policy.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_execmod_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file execmod;
+')
+
+########################################
+##
## Manage temporary files and directories in /tmp.
##
##
@@ -4109,6 +4319,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
+ files_delete_isid_type_symlinks($1)
+ files_delete_isid_type_fifo_files($1)
+ files_delete_isid_type_sock_files($1)
+ files_delete_isid_type_blk_files($1)
+ files_delete_isid_type_chr_files($1)
')
########################################
@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',`
########################################
##
+## Append files in the /var directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_append_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+##
## Read and write files in the /var directory.
##
##
@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
- allow $1 var_t:dir search_dir_perms;
- delete_files_pattern($1, var_lock_t, var_lock_t)
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
@@ -5317,6 +5552,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
+######################################
+##
+## Add and remove entries from pid directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir rw_dir_perms;
+')
+
+#######################################
+##
+## Create generic pid directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_var_run_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
########################################
##
## Do not audit attempts to search
@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
+## manage all pidfile directories
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_all_pids_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+
+########################################
+##
## Read all process ID files.
##
##
@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
@@ -5826,3 +6119,229 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+##
+## Create a default directory
+##
+##
+##
+## Create a default_t direcrory
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir create;
+')
+
+########################################
+##
+## Create, default_t objects with an automatic
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object being created.
+##
+##
+#
+interface(`files_root_filetrans_default',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ filetrans_pattern($1, root_t, default_t, $2)
+')
+
+########################################
+##
+## manage generic symbolic links
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+##
+## Do not audit attempts to getattr
+## all tmpfs files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to read security files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
+########################################
+##
+## rw any files inherited from another process
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+##
+## Allow any file point to be the entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_entrypoint_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+ allow $1 file_type:file entrypoint;
+')
+
+########################################
+##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_all_non_security_leaks',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## all leaked files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_leaks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
+
+########################################
+##
+## Allow domain to create_file_ass all types
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_as_is_all_files',`
+ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
+ ')
+
+ allow $1 file_type:kernel_service create_files_as;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 07352a5..12e9ecf 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
+attribute etcfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
@@ -58,12 +59,21 @@ files_type(etc_t)
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+#
+type system_conf_t, configfile;
+files_type(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
-type etc_runtime_t;
+type etc_runtime_t, configfile;
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 59bae6a..16f0f9e 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -2,5 +2,10 @@
/dev/shm/.* <>
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup/.* <>
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup(/.*)? <>
+
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 437a42a..8d6d333 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1241,7 +1241,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
- dontaudit $1 cifs_t:file rw_file_perms;
+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
')
########################################
@@ -1504,6 +1504,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
+########################################
+##
+## Make general progams in cifs an entrypoint for
+## the specified domain.
+##
+##
+##
+## The domain for which cifs_t is an entrypoint.
+##
+##
+#
+interface(`fs_cifs_entry_type',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ domain_entry_file($1, cifs_t)
+')
+
#######################################
##
## Create, read, write, and delete dirs
@@ -1931,7 +1950,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
##
-## Read and write hugetlbfs files.
+## Get the attributes of an hugetlbfs
+## filesystem;
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+##
+## R/W hugetlbfs files.
##
##
##
@@ -1946,6 +1984,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
+########################################
+##
+## Manage hugetlbfs dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_manage_hugetlbfs_dirs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+##
+## List hugetlbfs dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_list_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
########################################
##
@@ -1999,6 +2072,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
+ fs_read_anon_inodefs_files($1)
')
########################################
@@ -2395,6 +2469,25 @@ interface(`fs_exec_nfs_files',`
########################################
##
+## Make general progams in nfs an entrypoint for
+## the specified domain.
+##
+##
+##
+## The domain for which nfs_t is an entrypoint.
+##
+##
+#
+interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ domain_entry_file($1, nfs_t)
+')
+
+########################################
+##
## Append files
## on a NFS filesystem.
##
@@ -2449,7 +2542,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
- dontaudit $1 nfs_t:file rw_file_perms;
+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
')
########################################
@@ -2637,6 +2730,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
##
+## Do not audit attempts to write removable storage files.
+##
+##
+##
+## Domain not to audit.
+##
+##
+#
+interface(`fs_dontaudit_write_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ dontaudit $1 removable_t:file write_file_perms;
+')
+
+########################################
+##
## Read removable storage symbolic links.
##
##
@@ -2845,7 +2956,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
##
## Create, read, write, and delete symbolic links
-## on a CIFS or SMB network filesystem.
+## on a NFS network filesystem.
##
##
##
@@ -3970,6 +4081,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
+## dontaudit Read and write block nodes on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
+########################################
+##
## Relabel character nodes on tmpfs filesystems.
##
##
@@ -4662,3 +4791,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
+
+########################################
+##
+## Do not audit attempts to read or write
+## all leaked filesystems files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_dontaudit_leaks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0dff98e..930062c 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+mls_trusted_object(anon_inodefs_t)
type bdev_t;
fs_type(bdev_t)
@@ -67,10 +68,11 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-type cgroup_t;
+type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+#
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -148,6 +159,12 @@ fs_type(squash_t)
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
+type sysv_t;
+fs_noxattr_type(sysv_t)
+files_mountpoint(sysv_t)
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
+
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
@@ -168,6 +185,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -247,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
+files_type(removable_t)
files_mountpoint(removable_t)
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ed7667a..46e9859 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',`
########################################
##
+## Read/Write information from the debugging filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_rw_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ rw_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+##
+## Manage information from the debugging filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_manage_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+##
## Mount a kernel VM filesystem.
##
##
@@ -1977,7 +2017,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
')
########################################
@@ -2845,6 +2885,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
+## Relabel to unlabeled context .
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_relabelto_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+##
## Unconfined access to kernel module resources.
##
##
@@ -2860,3 +2918,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
+
+########################################
+##
+## Allow the specified domain to connect to
+## the kernel with a unix socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index e4f98ce..806026c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
-term_use_console(kernel_t)
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -268,19 +270,29 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
+
+logging_manage_generic_logs(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+
optional_policy(`
hotplug_search_config(kernel_t)
')
@@ -357,6 +369,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
+optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f8b357c..bc1ed0f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
# because of this statement, any module which
# calls this interface must be in the base module:
- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
')
########################################
@@ -202,10 +202,31 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
+
+########################################
+##
+## Do not audit attempts to write
+## generic selinuxfs entries
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`selinux_dontaudit_write_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir write;
+')
+
########################################
##
## Allows the caller to get the mode of policy enforcement
@@ -223,6 +244,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
@@ -404,6 +426,7 @@ interface(`selinux_set_all_booleans',`
')
allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:dir list_dir_perms;
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
@@ -622,3 +645,42 @@ interface(`selinux_unconfined',`
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+##
+## Generate a file context for a boolean type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
+
+########################################
+##
+## Unmount a security filesystem.
+##
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
+#
+interface(`selinux_unmount_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem unmount;
+')
+
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index a9b8982..811b859 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -77,3 +77,6 @@ ifdef(`distro_redhat', `
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 3723150..bde6daa 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+ #577012
+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',`
type fixed_disk_device_t;
')
+ allow $1 self:capability mknod;
+
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
dev_add_entry_generic_dirs($1)
')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 492bf76..f9930a3 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -292,9 +292,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
')
########################################
@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
+ type tty_device_t;
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file getattr;
+ allow $1 tty_device_t:chr_file getattr;
')
########################################
@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
+ type tty_device_t;
')
dev_list_all_dev_nodes($1)
dontaudit $1 ttynode:chr_file getattr;
+ dontaudit $1 tty_device_t:chr_file getattr;
')
########################################
@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
')
########################################
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 646bbcf..a5deade 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
#
# devtty_t is the type of /dev/tty.
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 252913b..a1bbe8f 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -28,10 +28,13 @@ logging_manage_audit_log(auditadm_t)
logging_manage_audit_config(auditadm_t)
logging_run_auditctl(auditadm_t, auditadm_r)
logging_run_auditd(auditadm_t, auditadm_r)
+logging_stream_connect_syslog(auditadm_t)
seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
optional_policy(`
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 1875064..20d9333 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -58,3 +58,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 531c616..321e5a7 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -14,4 +14,8 @@ userdom_restricted_user_template(guest)
# Local policy
#
-#gen_user(guest_u,, guest_r, s0, s0)
+optional_policy(`
+ apache_role(guest_r, guest_t)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index ebe6a9c..e3a1987 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
userdom_unpriv_user_template(secadm)
userdom_security_admin_template(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0c9876c..fabc1a0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,17 +8,55 @@ policy_module(staff, 2.1.1)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
+
+# needed for sandbox
+allow staff_t self:process setexec;
########################################
#
# Local policy
#
+kernel_read_ring_buffer(staff_usertype)
+kernel_getattr_core_if(staff_usertype)
+kernel_getattr_message_if(staff_usertype)
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+term_use_unallocated_ttys(staff_usertype)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
+miscfiles_read_hwdata(staff_usertype)
+
+modutils_read_module_config(staff_usertype)
+modutils_read_module_deps(staff_usertype)
+
+netutils_run_ping(staff_t, staff_r)
+netutils_signal_ping(staff_t)
+
optional_policy(`
apache_role(staff_r, staff_t)
')
optional_policy(`
+ mozilla_run_plugin(staff_t, staff_r)
+')
+
+optional_policy(`
auditadm_role_change(staff_r)
')
@@ -27,6 +65,18 @@ optional_policy(`
')
optional_policy(`
+ logadm_role_change(staff_r)
+')
+
+optional_policy(`
+ webadm_role_change(staff_r)
+')
+
+optional_policy(`
+ kerneloops_manage_tmp_files(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
@@ -35,6 +85,18 @@ optional_policy(`
')
optional_policy(`
+ unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+ rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
+ screen_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
ssh_role_template(staff, staff_r, staff_t)
')
@@ -48,6 +110,10 @@ optional_policy(`
')
optional_policy(`
+ telepathy_dbus_session_role(staff_r, staff_t)
+')
+
+optional_policy(`
xserver_role(staff_r, staff_t)
')
@@ -137,10 +203,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
- ')
-
- optional_policy(`
spamassassin_role(staff_r, staff_t)
')
@@ -172,3 +234,46 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
+
+optional_policy(`
+ accountsd_dbus_chat(staff_t)
+ accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(staff_usertype)
+')
+
+optional_policy(`
+ sandbox_transition(staff_t, staff_r)
+')
+
+optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..1a95085 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
#
# Local policy
#
+kernel_read_fs_sysctls(sysadm_t)
corecmd_exec_shell(sysadm_t)
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
+
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
+application_exec(sysadm_t)
+
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+modutils_read_module_deps(sysadm_t)
+
+miscfiles_read_hwdata(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_user_tmp_dirs(sysadm_t)
+userdom_manage_user_tmp_files(sysadm_t)
+userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
+ logging_stream_connect_syslog(sysadm_t)
')
tunable_policy(`allow_ptrace',`
@@ -69,7 +91,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -98,6 +119,10 @@ optional_policy(`
')
optional_policy(`
+ certmonger_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
')
@@ -114,7 +139,7 @@ optional_policy(`
')
optional_policy(`
- cvs_exec(sysadm_t)
+ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -159,6 +184,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(sysadm_t)
+ ')
')
optional_policy(`
@@ -166,15 +198,15 @@ optional_policy(`
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
')
optional_policy(`
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -198,14 +230,7 @@ optional_policy(`
optional_policy(`
mount_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
+ mount_run_showmount(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -221,6 +246,10 @@ optional_policy(`
')
optional_policy(`
+ ncftool_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
@@ -254,7 +283,7 @@ optional_policy(`
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
+ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -266,10 +295,6 @@ optional_policy(`
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
@@ -277,9 +302,6 @@ optional_policy(`
rpm_run(sysadm_t, sysadm_r)
')
-optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
-')
optional_policy(`
rsync_exec(sysadm_t)
@@ -304,9 +326,10 @@ optional_policy(`
')
optional_policy(`
- spamassassin_role(sysadm_r, sysadm_t)
+ shutdown_run(sysadm_t, sysadm_r)
')
+
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -329,10 +352,6 @@ optional_policy(`
')
optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -340,18 +359,10 @@ optional_policy(`
')
optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tzdata_domtrans(sysadm_t)
')
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
unconfined_domtrans(sysadm_t)
')
@@ -364,17 +375,14 @@ optional_policy(`
')
optional_policy(`
- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
')
+
optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
+ vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -386,19 +394,22 @@ optional_policy(`
')
optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
')
optional_policy(`
- xserver_role(sysadm_r, sysadm_t)
+ yam_run(sysadm_t, sysadm_r)
')
optional_policy(`
- yam_run(sysadm_t, sysadm_r)
+ zebra_stream_connect(sysadm_t)
')
ifndef(`distro_redhat',`
optional_policy(`
+ apache_role(sysadm_r, sysadm_t)
+ ')
+ optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
@@ -445,5 +456,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
-')
+ optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
+')
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
index 0000000..0e8654b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
index 0000000..8b2cdf3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,687 @@
+## Unconfiend user role
+
+########################################
+##
+## Change from the unconfineduser role.
+##
+##
+##
+## Change from the unconfineduser role to
+## the specified role.
+##
+##
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`unconfined_role_change_to',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow unconfined_r $1;
+')
+
+########################################
+##
+## Transition to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ ')
+
+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+##
+## Execute specified programs in the unconfined domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to allow the unconfined domain.
+##
+##
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+')
+
+########################################
+##
+## Transition to the unconfined domain by executing a shell.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_shell_domtrans',`
+ gen_require(`
+ attribute unconfined_login_domain;
+ ')
+ typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+##
+## Allow unconfined to execute the specified program in
+## the specified domain.
+##
+##
+##
+## Allow unconfined to execute the specified program in
+## the specified domain.
+##
+##
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Domain to execute in.
+##
+##
+##
+##
+## Domain entry point file.
+##
+##
+#
+interface(`unconfined_domtrans_to',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+##
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+##
+##
+##
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+##
+##
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Domain to execute in.
+##
+##
+##
+##
+## Domain entry point file.
+##
+##
+#
+interface(`unconfined_run_to',`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+ role unconfined_r types $1;
+ userdom_use_user_terminals($1)
+')
+
+########################################
+##
+## Inherit file descriptors from the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_use_fds',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+##
+## Send a SIGCHLD signal to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+##
+## Send a SIGNULL signal to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_signull',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signull;
+')
+
+########################################
+##
+## Send a SIGNULL signal to the unconfined execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_signull',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+##
+## Send a signal to the unconfined execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_signal',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signal;
+')
+
+########################################
+##
+## Send generic signals to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+##
+## Read unconfined domain unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read unconfined domain unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dontaudit_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+##
+## Read and write unconfined domain unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## unconfined domain unnamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## unconfined domain stream.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+##
+## Connect to the unconfined domain using
+## a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_stream_connect',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+##
+##
+##
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+##
+##
+## This interface was added due to a broken
+## symptom in ldconfig.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+##
+##
+##
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+##
+##
+## This interface was added due to a broken
+## symptom.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+##
+## Create keys for the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+##
+## Send messages to the unconfined domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## unconfined_t over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+##
+## Allow ptrace of unconfined domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+##
+## Read and write to unconfined shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Read and write to unconfined execmem shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Transition to the unconfined_execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
+##
+## execute the execmem applications
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_exec',`
+
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+########################################
+##
+## Allow apps to set rlimits on userdomain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+##
+## Get the process group of unconfined.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+##
+## Change to the unconfined role.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`unconfined_role_change',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow $1 unconfined_r;
+')
+
+########################################
+##
+## Allow domain to attach to TUN devices created by unconfined_t users.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_attach_tun_iface',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..799db36
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,475 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+##
+##
+## Transition to confined nsplugin domains from unconfined user
+##
+##
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+##
+##
+## Allow vidio playing tools to tun unconfined
+##
+##
+gen_tunable(unconfined_mplayer, false)
+
+##
+##
+## Allow a user to login as an unconfined domain
+##
+##
+gen_tunable(unconfined_login, true)
+
+##
+##
+## Transition to confined qemu domains from unconfined user
+##
+##
+gen_tunable(allow_unconfined_qemu_transition, false)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+mount_run_unconfined(unconfined_t, unconfined_r)
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain_noaudit(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(unconfined_usertype)
+')
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
+
+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans(unconfined_usertype)
+ nsplugin_domtrans_config(unconfined_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ avahi_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ certmonger_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ iptables_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role(unconfined_r, unconfined_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(unconfined_usertype)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
+ ')
+
+ optional_policy(`
+ sandbox_transition(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ shutdown_run(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
+ tzdata_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_usertype)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ accountsd_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ chrome_role(unconfined_r, unconfined_usertype)
+')
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+ ')
+
+ init_dbus_chat(unconfined_usertype)
+ init_dbus_chat_script(unconfined_usertype)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat_config(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(unconfined_usertype)
+')
+
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ mono_role_template(unconfined, unconfined_r, unconfined_t)
+ unconfined_domain_noaudit(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
+')
+
+optional_policy(`
+ mozilla_run_plugin(unconfined_usertype, unconfined_r)
+')
+
+optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+# ppp_run(unconfined_t, unconfined_r)
+#')
+
+optional_policy(`
+ qemu_unconfined_role(unconfined_r)
+
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_domtrans(unconfined_t)
+ ',`
+ qemu_domtrans_unconfined(unconfined_t)
+')
+')
+
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ samba_role_notrans(unconfined_r)
+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ wine_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+optional_policy(`
+ execmem_role_template(unconfined, unconfined_r, unconfined_t)
+ typealias unconfined_execmem_t alias execmem_t;
+ typealias unconfined_execmem_t alias unconfined_openoffice_t;
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
+ role system_r types unconfined_execmem_t;
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ tunable_policy(`unconfined_login',`
+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e8a507d..aac3fe1 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,22 +12,48 @@ role user_r;
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
+
optional_policy(`
apache_role(user_r, user_t)
')
optional_policy(`
+ mozilla_run_plugin(user_t, user_r)
+')
+
+optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(user_t)
+')
+
+optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
optional_policy(`
+ telepathy_dbus_session_role(user_r, user_t)
+')
+
+optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
+optional_policy(`
xserver_role(user_r, user_t)
')
ifndef(`distro_redhat',`
optional_policy(`
auth_role(user_r, user_t)
- ')
+ ')
optional_policy(`
bluetooth_role(user_r, user_t)
@@ -44,7 +70,7 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(user, user_r, user_t)
')
-
+
optional_policy(`
evolution_role(user_r, user_t)
')
@@ -97,7 +123,7 @@ ifndef(`distro_redhat',`
oident_manage_user_content(user_t)
oident_relabel_user_content(user_t)
')
-
+
optional_policy(`
postgresql_role(user_r, user_t)
')
@@ -115,7 +141,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- spamassassin_role(user_r, user_t)
+ spamassassin_role(user_r, user_t)
')
optional_policy(`
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f..e76f7a7 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
##
##
-## Allow xguest to configure Network Manager
+## Allow xguest to configure Network Manager and connect to apache ports
##
##
gen_tunable(xguest_connect_network, true)
@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
########################################
#
# Local policy
#
-
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
@@ -48,12 +48,21 @@ ifndef(`enable_mls',`
storage_raw_read_removable_device(xguest_t)
')
')
+# Dontaudit fusermount
+mount_dontaudit_exec_fusermount(xguest_t)
+
+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
+')
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
-
+ kernel_request_load_module(xguest_t)
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
@@ -62,10 +71,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
-
- init_read_utmp(xguest_t)
')
')
@@ -76,23 +84,90 @@ optional_policy(`
')
optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
+
+optional_policy(`
hal_dbus_chat(xguest_t)
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
')
optional_policy(`
tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_usertype)
+
networkmanager_dbus_chat(xguest_t)
- corenet_tcp_connect_pulseaudio_port(xguest_t)
- corenet_tcp_connect_ipp_port(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+ corenet_all_recvfrom_unlabeled(xguest_usertype)
+ corenet_all_recvfrom_netlabel(xguest_usertype)
+ corenet_tcp_sendrecv_generic_if(xguest_usertype)
+ corenet_raw_sendrecv_generic_if(xguest_usertype)
+ corenet_tcp_sendrecv_generic_node(xguest_usertype)
+ corenet_raw_sendrecv_generic_node(xguest_usertype)
+ corenet_tcp_sendrecv_http_port(xguest_usertype)
+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
+ corenet_tcp_sendrecv_squid_port(xguest_usertype)
+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+ corenet_tcp_connect_http_port(xguest_usertype)
+ corenet_tcp_connect_http_cache_port(xguest_usertype)
+ corenet_tcp_connect_squid_port(xguest_usertype)
+ corenet_tcp_connect_flash_port(xguest_usertype)
+ corenet_tcp_connect_ftp_port(xguest_usertype)
+ corenet_tcp_connect_ipp_port(xguest_usertype)
+ corenet_tcp_connect_generic_port(xguest_usertype)
+ corenet_tcp_connect_soundd_port(xguest_usertype)
+ corenet_sendrecv_http_client_packets(xguest_usertype)
+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
+ corenet_sendrecv_squid_client_packets(xguest_usertype)
+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
+ corenet_sendrecv_generic_client_packets(xguest_usertype)
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
')
+
+ optional_policy(`
+ telepathy_dbus_session_role(xguest_r, xguest_t)
+ ')
+')
+
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
index 1bd5812..3b3ba64 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
@@ -15,6 +15,7 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c5..8a5d6a4 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -130,6 +130,10 @@ interface(`abrt_domtrans_helper',`
')
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -160,8 +164,25 @@ interface(`abrt_run_helper',`
########################################
##
-## Send and receive messages from
-## abrt over dbus.
+## Append abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_cache_append',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+##
+## Manage abrt cache
##
##
##
@@ -253,6 +274,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
+########################################
+##
+## Read and write abrt fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
#####################################
##
## All of the rules required to administrate
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 93d31d5..65609e5 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
# Declarations
#
+##
+##
+## Allow ABRT to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(abrt_anon_write, false)
+
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
@@ -50,7 +58,7 @@ ifdef(`enable_mcs',`
allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -69,6 +77,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -82,7 +91,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_read_config(abrt_t)
+sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
@@ -140,6 +151,15 @@ miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
+ apache_read_modules(abrt_t)
+')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
@@ -150,7 +170,12 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(abrt_t)
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -178,6 +203,12 @@ optional_policy(`
')
optional_policy(`
+ sosreport_domtrans(abrt_t)
+ sosreport_read_tmp_files(abrt_t)
+ sosreport_delete_tmp_files(abrt_t)
+')
+
+optional_policy(`
sssd_stream_connect(abrt_t)
')
@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
@@ -217,11 +249,26 @@ term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms', `
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
dev_dontaudit_read_all_blk_files(abrt_helper_t)
dev_dontaudit_read_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
')
+
+
+ifdef(`hide_broken_symptoms', `
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
+')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f10..2724c11 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
@@ -55,3 +57,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index de8b791..9ec36b9 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -82,6 +82,10 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_files(afs_t)
+')
+
corenet_all_recvfrom_unlabeled(afs_t)
corenet_all_recvfrom_netlabel(afs_t)
corenet_tcp_sendrecv_generic_if(afs_t)
diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
new file mode 100644
index 0000000..069518f
--- /dev/null
+++ b/policy/modules/services/aiccu.fc
@@ -0,0 +1,6 @@
+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
new file mode 100644
index 0000000..420c856
--- /dev/null
+++ b/policy/modules/services/aiccu.if
@@ -0,0 +1,118 @@
+## Automatic IPv6 Connectivity Client Utility.
+
+########################################
+##
+## Execute a domain transition to run aiccu.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`aiccu_domtrans',`
+ gen_require(`
+ type aiccu_t, aiccu_exec_t;
+ ')
+
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+ corecmd_search_bin($1)
+')
+
+
+########################################
+##
+## Execute aiccu server in the aiccu domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`aiccu_initrc_domtrans',`
+ gen_require(`
+ type aiccu_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+##
+## Read aiccu PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`aiccu_read_pid_files',`
+ gen_require(`
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Manage aiccu PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`aiccu_manage_var_run',`
+ gen_require(`
+ type aiccu_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ files_search_pids($1)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an aiccu environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`aiccu_admin',`
+ gen_require(`
+ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aiccu_t)
+
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, aiccu_etc_t)
+ files_search_etc($1)
+
+ admin_pattern($1, aiccu_var_run_t)
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644
index 0000000..d21aa69
--- /dev/null
+++ b/policy/modules/services/aiccu.te
@@ -0,0 +1,71 @@
+policy_module(aiccu, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill net_admin };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+modutils_domtrans_insmod(aiccu_t)
+
+sysnet_domtrans_ifconfig(aiccu_t)
+sysnet_dns_name_resolve(aiccu_t)
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 97c9cae..c24bd66 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
# aisexec local policy
#
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
miscfiles_read_localization(aisexec_t)
+userdom_rw_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
optional_policy(`
ccs_stream_connect(aisexec_t)
')
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index adb3d5f..de26af5 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -56,7 +56,7 @@ interface(`amavis_read_spool_files',`
')
files_search_spool($1)
- allow $1 amavis_spool_t:file read_file_perms;
+ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
')
########################################
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index cf34b4e..cc216a4 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -92,9 +92,10 @@ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
# pid file
+manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
-files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file })
+files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir })
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..8603d4d 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -43,8 +42,7 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -74,7 +72,8 @@ ifdef(`distro_suse', `
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -86,7 +85,6 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -109,3 +107,17 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c9e1a44..2244b11 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,14 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write, false)
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t; # customizable;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
@@ -36,16 +33,18 @@ template(`apache_content_template',`
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
+ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
@@ -54,7 +53,7 @@ template(`apache_content_template',`
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
@@ -86,7 +85,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -95,6 +93,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
@@ -108,19 +107,6 @@ template(`apache_content_template',`
seutil_dontaudit_search_config(httpd_$1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- can_exec(httpd_$1_script_t, httpdcontent)
- ')
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -140,6 +126,7 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
')
tunable_policy(`httpd_enable_cgi',`
@@ -148,14 +135,19 @@ template(`apache_content_template',`
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
@@ -172,6 +164,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
')
optional_policy(`
@@ -182,15 +175,13 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_$1_script_t)
- ')
')
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
+
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
')
########################################
@@ -229,6 +220,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
@@ -243,6 +241,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ apache_exec_modules($2)
+
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
@@ -312,6 +312,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+######################################
+##
+## Allow the specified domain to execute apache
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_exec',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ can_exec($1, httpd_exec_t)
+')
+
#######################################
##
## Send a generic signal to apache.
@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -526,6 +545,25 @@ interface(`apache_rw_cache_files',`
########################################
##
## Allow the specified domain to delete
+## Apache cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_delete_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+##
+## Allow the specified domain to delete
## Apache cache.
##
##
@@ -740,6 +778,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
+## Allow the specified domain to read
+## the apache module directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_read_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+')
+
+########################################
+##
## Allow the specified domain to list
## the contents of the apache modules
## directory.
@@ -756,6 +813,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',`
')
files_search_var($1)
+ apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
+######################################
+##
+## Allow the specified domain to read
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+##
+## Allow the specified domain to manage
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+##
+## Allow the specified domain to delete
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
########################################
##
## Execute all web scripts in the system
@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
+ type httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
+######################################
+##
+## Dontaudit attempts to read and write
+## apache tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
########################################
##
## Dontaudit attempts to write
@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
- dontaudit $1 httpd_tmp_t:file write_file_perms;
+ dontaudit $1 httpd_tmp_t:file write;
')
########################################
@@ -1172,7 +1324,7 @@ interface(`apache_admin',`
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
+ type httpd_initrc_exec_t, httpd_bool_t;
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
@@ -1202,12 +1354,43 @@ interface(`apache_admin',`
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
-
+ ps_process_pattern($1, httpd_t)
read_lnk_files_pattern($1, httpd_t, httpd_t)
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
+ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t )
+ seutil_setsebool_role_template($1, $3, $2)
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
+')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e33b9cd..de4388a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
##
## Allow Apache to modify public files
@@ -36,6 +38,20 @@ gen_tunable(allow_httpd_mod_auth_pam, false)
##
##
+## Allow httpd scripts and modules execmem/execstack
+##
+##
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow httpd daemon to change system limits
+##
+##
+gen_tunable(httpd_setrlimit, false)
+
+##
+##
## Allow httpd to use built in scripting (usually php)
##
##
@@ -50,6 +66,13 @@ gen_tunable(httpd_can_network_connect, false)
##
##
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##
+##
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+##
+##
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
@@ -57,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
##
##
+## Allow httpd to connect to memcache server
+##
+##
+gen_tunable(httpd_can_network_memcache, false)
+
+##
+##
## Allow httpd to act as a relay
##
##
@@ -71,6 +101,13 @@ gen_tunable(httpd_can_sendmail, false)
##
##
+## Allow http daemon to check spam
+##
+##
+gen_tunable(httpd_can_check_spam, false)
+
+##
+##
## Allow Apache to communicate with avahi service via dbus
##
##
@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false)
##
##
+## Allow httpd to read user content
+##
+##
+gen_tunable(httpd_read_user_content, false)
+
+##
+##
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
##
##
@@ -107,6 +151,13 @@ gen_tunable(httpd_ssi_exec, false)
##
##
+## Allow Apache to execute tmp content.
+##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
+##
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false)
##
##
-## Allow httpd to run gpg
+## Allow httpd to run gpg in gpg-web domain
##
##
gen_tunable(httpd_use_gpg, false)
@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false)
##
gen_tunable(httpd_use_nfs, false)
+##
+##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms;
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+')
+
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
+')
+
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_squid_port(httpd_t)
corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
')
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_t)
')
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
+ userdom_use_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
optional_policy(`
@@ -513,7 +647,13 @@ optional_policy(`
')
optional_policy(`
- cobbler_search_lib(httpd_t)
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+ cobbler_read_lib_files(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
optional_policy(`
@@ -528,7 +668,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -537,8 +677,12 @@ optional_policy(`
')
optional_policy(`
+ gitosis_read_lib_files(httpd_t)
+')
+
+optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+ gpg_domtrans_web(httpd_t)
')
')
@@ -557,6 +701,7 @@ optional_policy(`
optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -567,6 +712,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -577,12 +723,23 @@ optional_policy(`
')
optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
')
')
@@ -591,6 +748,11 @@ optional_policy(`
')
optional_policy(`
+ smokeping_getattr_lib_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -603,6 +765,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
+')
+
########################################
#
# Apache helper local policy
@@ -618,6 +784,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
########################################
#
# Apache PHP script local policy
@@ -699,17 +869,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -740,10 +911,21 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+')
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -769,6 +951,12 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
+optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+')
+
########################################
#
# Apache system script local policy
@@ -792,9 +980,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
+
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+auth_use_nsswitch(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
@@ -803,6 +995,28 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
+ ')
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -830,6 +1044,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -842,6 +1066,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
')
optional_policy(`
@@ -891,11 +1116,33 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
+')
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 67c91aa..472ddad 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -94,6 +94,10 @@ optional_policy(`
')
optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+')
+
+optional_policy(`
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 1c8c27e..c7cba00 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:netlink_socket create_socket_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
@@ -81,6 +82,7 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+dev_read_input(apmd_t)
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
@@ -142,9 +144,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
+ fstools_domtrans(apmd_t)
')
optional_policy(`
@@ -155,6 +156,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+ sssd_search_lib(apmd_t)
+ ')
+
+ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 0160ba4..f31b5c9 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -50,6 +50,7 @@ kernel_read_network_state(arpwatch_t)
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
+kernel_request_load_module(arpwatch_t)
corenet_all_recvfrom_unlabeled(arpwatch_t)
corenet_all_recvfrom_netlabel(arpwatch_t)
@@ -63,6 +64,7 @@ corenet_tcp_sendrecv_all_ports(arpwatch_t)
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b9e94c4..608e3a1 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -99,6 +99,7 @@ corenet_udp_sendrecv_all_ports(asterisk_t)
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_sip_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
@@ -109,6 +110,7 @@ corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -147,6 +149,10 @@ optional_policy(`
')
optional_policy(`
+ postfix_domtrans_postdrop(asterisk_t)
+')
+
+optional_policy(`
postgresql_stream_connect(asterisk_t)
')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index a3eaf94..ac13727 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -145,6 +145,7 @@ miscfiles_read_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
+mount_domtrans_showmount(automount_t)
mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 210ca0b..e51354d 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
class dbus send_msg;
')
+ allow avahi_t $1:file read;
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index e4c76d0..0aa1998 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
allow avahi_t avahi_var_run_t:dir setattr;
-files_pid_filetrans(avahi_t, avahi_var_run_t, file)
+files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 44a1e3d..71f5514 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
########################################
##
+## Read BIND zone files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+##
## Manage BIND zone files.
##
##
@@ -359,9 +380,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_lib_t, named_var_run_t;
+ type named_conf_t, named_var_run_t;
type named_cache_t, named_zone_t;
- type dnssec_t, ndc_t;
+ type dnssec_t, ndc_t, named_keytab_t;
type named_initrc_exec_t;
')
@@ -391,8 +412,7 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
- files_list_var_lib($1)
- admin_pattern($1, named_var_lib_t)
+ admin_pattern($1, named_keytab_t)
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 2be1518..190b0bc 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index f42cdfc..e74f728 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -27,6 +27,7 @@ files_type(bitlbee_var_t)
# Local policy
#
#
+allow bitlbee_t self:capability { setgid setuid };
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
@@ -80,6 +81,10 @@ files_read_usr_files(bitlbee_t)
libs_legacy_use_shared_libs(bitlbee_t)
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
miscfiles_read_localization(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..328302d 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -117,6 +117,27 @@ interface(`bluetooth_dbus_chat',`
########################################
##
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
@@ -194,7 +215,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
- files_list_spool($1)
- admin_pattern($1, bluetooth_spool_t)
-
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
--- /dev/null
+++ b/policy/modules/services/boinc.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
index 0000000..9f4885c
--- /dev/null
+++ b/policy/modules/services/boinc.if
@@ -0,0 +1,151 @@
+
+## policy for boinc
+
+########################################
+##
+## Execute a domain transition to run boinc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
+##
+## Search boinc lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Manage boinc var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an boinc environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t;
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, boinc_t, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
index 0000000..62a48ac
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,153 @@
+policy_module(boinc,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
+permissive boinc_project_t;
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+kernel_read_system_state(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
+dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_dontaudit_getattr_ptmx(boinc_t)
+
+miscfiles_read_localization(boinc_t)
+miscfiles_read_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
+
+########################################
+#
+# boinc-projects local policy
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file { read write };
+
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
+corecmd_exec_bin(boinc_project_t)
+corecmd_exec_shell(boinc_project_t)
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
+dev_read_urand(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
+
+miscfiles_read_localization(boinc_project_t)
+
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
new file mode 100644
index 0000000..18f37e2
--- /dev/null
+++ b/policy/modules/services/bugzilla.fc
@@ -0,0 +1,4 @@
+
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
new file mode 100644
index 0000000..922c4ba
--- /dev/null
+++ b/policy/modules/services/bugzilla.if
@@ -0,0 +1,81 @@
+## Bugzilla server
+
+########################################
+##
+## Allow the specified domain to search
+## bugzilla directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bugzilla_search_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## bugzilla script unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an bugzilla environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the bugzilla domain.
+##
+##
+##
+#
+interface(`bugzilla_admin',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
+ type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
+ ')
+
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_search_var_lib(httpd_bugzilla_script_t)
+
+ apache_search_sys_content($1)
+ admin_pattern($1, httpd_bugzilla_script_exec_t)
+ admin_pattern($1, httpd_bugzilla_script_t)
+ admin_pattern($1, httpd_bugzilla_content_t)
+ admin_pattern($1, httpd_bugzilla_htaccess_t)
+ admin_pattern($1, httpd_bugzilla_rw_content_t)
+ admin_pattern($1, httpd_bugzilla_ra_content_t)
+')
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644
index 0000000..d31736b
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
@@ -0,0 +1,56 @@
+policy_module(bugzilla, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+########################################
+#
+# bugzilla local policy
+#
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
index 0000000..24d9837
--- /dev/null
+++ b/policy/modules/services/cachefilesd.fc
@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
new file mode 100644
index 0000000..89d19e0
--- /dev/null
+++ b/policy/modules/services/cachefilesd.if
@@ -0,0 +1,41 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+
+## policy for cachefilesd
+
+########################################
+##
+## Execute a domain transition to run cachefilesd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cachefilesd_domtrans',`
+ gen_require(`
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+
+ allow $1 cachefilesd_t:fd use;
+ allow cachefilesd_t $1:fd use;
+ allow cachefilesd_t $1:fifo_file rw_file_perms;
+ allow cachefilesd_t $1:process sigchld;
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
index 0000000..e67f987
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
@@ -0,0 +1,146 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd,1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+domain_type(cachefilesd_t)
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+rpm_use_script_fds(cachefilesd_t)
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+libs_use_ld_so(cachefilesd_t)
+libs_use_shared_libs(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+allow cachefiles_kernel_t initrc_t:process sigchld;
+
+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 358b757..b819a47 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -42,9 +42,10 @@ manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
files_var_lib_filetrans(canna_t, canna_var_lib_t, file)
+manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t)
manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
-files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
+files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4c90b57..bffe6b6 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -118,5 +118,10 @@ optional_policy(`
')
optional_policy(`
+ qpidd_rw_semaphores(ccs_t)
+ qpidd_rw_shm(ccs_t)
+')
+
+optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index 27fe7ca..221ea9e 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -18,6 +18,25 @@ interface(`certmaster_domtrans',`
domtrans_pattern($1, certmaster_exec_t, certmaster_t)
')
+####################################
+##
+## Execute certmaster.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_exec',`
+ gen_require(`
+ type certmaster_exec_t;
+ ')
+
+ can_exec($1, certmaster_exec_t)
+ corecmd_search_bin($1)
+')
+
#######################################
##
## read certmaster logs.
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 1573914..6e32117 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index a3728d4..7a6e5ba 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -167,8 +167,8 @@ interface(`certmonger_admin',`
allow $2 system_r;
files_search_var_lib($1)
- admin_pattern($1, cermonger_var_lib_t)
+ admin_pattern($1, certmonger_var_lib_t)
files_search_pids($1)
- admin_pattern($1, cermonger_var_run_t)
+ admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 9e83ed7..52312f5 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -68,5 +68,5 @@ optional_policy(`
')
optional_policy(`
- unconfined_dbus_send(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 8ca2333..63a18fc 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -52,7 +52,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig personal policy.
#
-allow cgconfig_t self:capability { chown sys_admin };
+allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 9a0da94..5a98145 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+########################################
+##
+## Execute chronyd server in the chronyd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_initrc_domtrans',`
+ gen_require(`
+ type chronyd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
####################################
##
## Execute chronyd
@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+########################################
+##
+## Read and write chronyd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_rw_shm',`
+ gen_require(`
+ type chronyd_t, chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:shm rw_shm_perms;
+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read chronyd keys files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_read_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+##
+## Append chronyd keys files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
####################################
##
## All of the rules required to administrate
@@ -77,6 +153,7 @@ interface(`chronyd_admin',`
gen_require(`
type chronyd_t, chronyd_var_log_t;
type chronyd_var_run_t, chronyd_var_lib_t;
+ type chronyd_tmpfs_t;
type chronyd_initrc_exec_t, chronyd_keys_t;
')
@@ -100,6 +177,5 @@ interface(`chronyd_admin',`
files_search_pids($1)
admin_pattern($1, chronyd_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index fa82327..7f4ca47 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
type chronyd_keys_t;
files_type(chronyd_keys_t)
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 8c36027..16598a4 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
@@ -89,9 +90,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -147,8 +149,10 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
', `
dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
')
########################################
@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
@@ -189,6 +199,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
+userdom_stream_connect(freshclam_t)
+
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
new file mode 100644
index 0000000..e500fa5
--- /dev/null
+++ b/policy/modules/services/cmirrord.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
new file mode 100644
index 0000000..d5b410f
--- /dev/null
+++ b/policy/modules/services/cmirrord.if
@@ -0,0 +1,118 @@
+
+## policy for cmirrord
+
+########################################
+##
+## Execute a domain transition to run cmirrord.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cmirrord_domtrans',`
+ gen_require(`
+ type cmirrord_t, cmirrord_exec_t;
+ ')
+
+ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
+')
+
+########################################
+##
+## Execute cmirrord server in the cmirrord domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_initrc_domtrans',`
+ gen_require(`
+ type cmirrord_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
+')
+
+########################################
+##
+## Read cmirrord PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_read_pid_files',`
+ gen_require(`
+ type cmirrord_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cmirrord_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Read and write to cmirrord shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_rw_shm',`
+ gen_require(`
+ type cmirrord_t;
+ type cmirrord_tmpfs_t;
+ ')
+
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cmirrord environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`cmirrord_admin',`
+ gen_require(`
+ type cmirrord_t;
+ type cmirrord_initrc_exec_t;
+ type cmirrord_var_run_t;
+ ')
+
+ allow $1 cmirrord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cmirrord_t)
+
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, cmirrord_var_run_t)
+
+')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644
index 0000000..1e4adfa
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
@@ -0,0 +1,56 @@
+policy_module(cmirrord,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cmirrord_t;
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
+permissive cmirrord_t;
+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
+type cmirrord_tmpfs_t;
+files_tmpfs_file(cmirrord_tmpfs_t)
+
+type cmirrord_var_run_t;
+files_pid_file(cmirrord_var_run_t)
+
+########################################
+#
+# cmirrord local policy
+#
+
+allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:process signal;
+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
+
+domain_use_interactive_fds(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e..90c60df 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
@@ -1,7 +1,32 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
+
+# This should removable when cobbler package installs /var/www/cobbler/rendered
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 293e08d..1bdfe84 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ corecmd_search_bin($1)
')
########################################
@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
########################################
##
-## Read Cobbler content in /etc
+## List Cobbler configuration.
##
##
##
@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
##
##
#
-interface(`cobbler_read_config',`
+interface(`cobbler_list_config',`
gen_require(`
type cobbler_etc_t;
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_etc($1)
')
########################################
##
-## Do not audit attempts to read and write
-## Cobbler log files (leaked fd).
+## Read Cobbler configuration files.
##
##
##
@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
##
##
#
-interface(`cobbler_dontaudit_rw_log',`
+interface(`cobbler_read_config',`
gen_require(`
- type cobbler_var_log_t;
+ type cobbler_etc_t;
')
- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
')
########################################
@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
')
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
')
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
##
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
## All of the rules required to administrate
## an cobblerd environment
##
@@ -162,6 +186,9 @@ interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t;
+ type httpd_cobbler_content_rw_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
+ apache_search_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
admin_pattern($1, httpd_cobbler_content_rw_t)
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
allow $2 system_r;
+
+ optional_policy(`
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+ tftp_search_rw_content($1)
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 0258b48..6a6d7d7 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -12,6 +12,28 @@ policy_module(cobbler, 1.1.0)
##
##
gen_tunable(cobbler_anon_write, false)
+
+##
+##
+## Allow Cobbler to connect to the
+## network using TCP.
+##
+##
+gen_tunable(cobbler_can_network_connect, false)
+
+##
+##
+## Allow Cobbler to access cifs file systems.
+##
+##
+gen_tunable(cobbler_use_cifs, false)
+
+##
+##
+## Allow Cobbler to access nfs file systems.
+##
+##
+gen_tunable(cobbler_use_nfs, false)
type cobblerd_t;
type cobblerd_exec_t;
@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
-type cobbler_var_lib_t;
+type cobbler_var_lib_t alias cobbler_content_t;
files_type(cobbler_var_lib_t)
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
########################################
#
# Cobbler personal policy.
#
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
+
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+allow cobblerd_t self:udp_socket create_socket_perms;
+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
+
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
+
+# Something really needs to write to cobbler.log. Ideally this should not be happening.
+allow cobblerd_t cobbler_var_log_t:file write;
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
+corenet_tcp_sendrecv_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
dev_read_urand(cobblerd_t)
+domain_dontaudit_exec_all_entry_files(cobblerd_t)
+domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+# mtab
+files_read_etc_runtime_files(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
+files_read_boot_files(cobblerd_t)
files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
+
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
+selinux_dontaudit_read_fs(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
+userdom_dontaudit_use_user_terminals(cobblerd_t)
+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
+userdom_dontaudit_search_admin_dir(cobblerd_t)
+
tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
+tunable_policy(`cobbler_can_network_connect',`
+ corenet_tcp_connect_all_ports(cobblerd_t)
+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
+ corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
+ fs_manage_cifs_dirs(cobblerd_t)
+ fs_manage_cifs_files(cobblerd_t)
+ fs_manage_cifs_symlinks(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_nfs',`
+ fs_manage_nfs_dirs(cobblerd_t)
+ fs_manage_nfs_files(cobblerd_t)
+ fs_manage_nfs_symlinks(cobblerd_t)
+')
+
+optional_policy(`
+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
+ apache_search_sys_content(cobblerd_t)
+')
+
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
@@ -95,6 +186,10 @@ optional_policy(`
')
optional_policy(`
+ certmaster_exec(cobblerd_t)
+')
+
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
@@ -106,16 +201,28 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
rpm_exec(cobblerd_t)
')
optional_policy(`
- rsync_read_config(cobblerd_t)
- rsync_write_config(cobblerd_t)
+ rsync_exec(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
+ # cobbler creates /etc/rsync.conf if its not there.
+ rsync_filetrans_config(cobblerd_t, file)
')
optional_policy(`
- tftp_manage_rw_content(cobblerd_t)
+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
+ # 1. cobbler package installs /var/lib/tftpdir/images.
+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
########################################
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 42c6bd7..51afa67 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',`
files_search_pids($1)
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+##
+## List consolekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index daf151d..cc2058b 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
########################################
#
# consolekit local policy
@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
@@ -83,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
+')
+
+optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
@@ -99,16 +109,21 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(consolekit_t)
+ networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
')
optional_policy(`
- type consolekit_tmpfs_t;
- files_tmpfs_file(consolekit_tmpfs_t)
+ shutdown_domtrans(consolekit_t)
+')
+optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
@@ -125,5 +140,6 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
index 3a6d7eb..2098ee9 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -3,6 +3,7 @@
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 7d2cf85..9d97456 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -5,6 +5,13 @@ policy_module(corosync, 1.0.0)
# Declarations
#
+##
+##
+## Allow corosync to read and write generic tmpfs files.
+##
+##
+gen_tunable(allow_corosync_rw_tmpfs, false)
+
type corosync_t;
type corosync_exec_t;
init_daemon_domain(corosync_t, corosync_exec_t)
@@ -32,8 +39,8 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
@@ -41,6 +48,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
+can_exec(corosync_t, corosync_exec_t)
+
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
@@ -63,8 +72,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
@@ -73,6 +84,7 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -83,19 +95,30 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
+tunable_policy(`allow_corosync_rw_tmpfs',`
+ fs_rw_tmpfs_files(corosync_t)
+')
+
optional_policy(`
ccs_read_config(corosync_t)
')
optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
- rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+')
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
')
optional_policy(`
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 37b03f6..9971337 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -38,10 +38,12 @@ template(`courier_domain_template',`
read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
allow courier_$1_t courier_etc_t:dir list_dir_perms;
+ manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
files_search_pids(courier_$1_t)
+ files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
kernel_read_system_state(courier_$1_t)
kernel_read_kernel_sysctls(courier_$1_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index b96c242..72901d8 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -48,6 +48,7 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..3e8ad69 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -45,3 +45,7 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 35241ed..cbd01be 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,10 @@
##
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t;
+ ')
+
##############################
#
# Declarations
@@ -34,8 +38,12 @@ template(`cron_common_crontab_template',`
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
@@ -62,6 +70,7 @@ template(`cron_common_crontab_template',`
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
@@ -76,6 +85,7 @@ template(`cron_common_crontab_template',`
userdom_use_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
+ userdom_read_user_home_content_symlinks($1_t)
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
@@ -106,6 +116,8 @@ template(`cron_common_crontab_template',`
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t;
+ type crond_t;
')
role $1 types { cronjob_t crontab_t };
@@ -116,6 +128,13 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
+ allow crond_t $2:process transition;
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
allow $2 crontab_t:process signal;
@@ -154,27 +173,14 @@ interface(`cron_role',`
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -408,7 +414,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
- allow $1 crond_t:fifo_file { getattr read write };
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write inherited user spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+ type user_cron_spool_t;
+ ')
+
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Read and write inherited spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
########################################
@@ -554,7 +596,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -587,11 +629,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -627,7 +672,48 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
+ type system_cronjob_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f35b243..38a83ea 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
+mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -108,6 +113,14 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
########################################
#
@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -193,6 +206,8 @@ corecmd_list_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
@@ -208,7 +223,9 @@ init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -219,8 +236,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -240,8 +259,17 @@ ifdef(`distro_redhat', `
')
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
@@ -250,6 +278,20 @@ optional_policy(`
')
optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
+optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -259,6 +301,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -290,6 +334,8 @@ optional_policy(`
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+dontaudit system_cronjob_t self:capability sys_ptrace;
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -301,10 +347,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -324,6 +377,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -335,9 +389,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -360,6 +418,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
@@ -386,6 +445,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
@@ -410,6 +470,8 @@ seutil_read_config(system_cronjob_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
@@ -434,6 +496,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
')
optional_policy(`
@@ -441,6 +505,14 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -451,15 +523,24 @@ optional_policy(`
')
optional_policy(`
+ livecd_read_tmp_files(system_cronjob_t)
+')
+
+optional_policy(`
lpd_list_spool(system_cronjob_t)
')
optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -475,7 +556,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
@@ -490,6 +571,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -497,6 +579,9 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
@@ -590,7 +675,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow cronjob_t user_cron_spool_t:file manage_lnk_file_perms;
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index 1b492ed..286ec9e 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -71,3 +71,9 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 305ddf4..fb3454a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t;
type ptal_var_run_t, hplip_var_run_t;
type cupsd_initrc_exec_t;
+ type hplip_etc_t;
')
allow $1 cupsd_t:process { ptrace signal_perms };
@@ -341,15 +344,14 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
- admin_pattern($1, cupsd_spool_t)
- files_list_spool($1)
-
admin_pattern($1, cupsd_tmp_t)
files_list_tmp($1)
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
+ admin_pattern($1, hplip_etc_t)
+
admin_pattern($1, hplip_var_run_t)
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 0f28095..11e74af 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -147,10 +150,11 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:dir setattr;
+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
allow cupsd_t hplip_t:process { signal sigkill };
@@ -297,8 +301,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
@@ -453,6 +461,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
@@ -587,13 +599,19 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
lpd_manage_spool(cups_pdf_t)
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 88e7e97..9e8d14b 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -112,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
index 346f926..1f789f8 100644
--- a/policy/modules/services/cyphesis.te
+++ b/policy/modules/services/cyphesis.te
@@ -36,9 +36,10 @@ logging_log_filetrans(cyphesis_t, cyphesis_log_t, file)
allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
-files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file })
+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file })
kernel_read_system_state(cyphesis_t)
kernel_read_kernel_sysctls(cyphesis_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 2a0f1c1..ab82c3c 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -135,6 +135,7 @@ optional_policy(`
')
optional_policy(`
+ files_dontaudit_write_usr_dirs(cyrus_t)
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..e385f2f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined;
attribute session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -76,7 +78,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -91,7 +93,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:process { signull sigkill signal };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -149,13 +151,20 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
- userdom_read_user_home_content_files($1_dbusd_t)
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
+ userdom_manage_user_home_content_dirs($1_dbusd_t)
+ userdom_manage_user_home_content_files($1_dbusd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
ifdef(`hide_broken_symptoms', `
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
optional_policy(`
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -431,13 +442,26 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
+ fs_search_all($1)
+
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
+ init_stream_connect($1)
+
ps_process_pattern(system_dbusd_t, $1)
+ userdom_dontaudit_search_admin_dir($1)
userdom_read_all_users_state($1)
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_send($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b738e94..4b3d9c4 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
@@ -121,7 +122,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -141,7 +144,15 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(system_dbusd_t)
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
@@ -158,5 +169,12 @@ optional_policy(`
#
# Unconfined access to this module
#
-
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+optional_policy(`
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index f02cfe4..0cb9ac9 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -231,8 +231,9 @@ manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
+manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
-files_pid_filetrans(dccd_t, dccd_var_run_t, file)
+files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index 8ba9425..d53ee7e 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
#
# DenyHosts personal policy.
#
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
corenet_sendrecv_smtp_client_packets(denyhosts_t)
dev_read_urand(denyhosts_t)
files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
+logging_send_syslog_msg(denyhosts_t)
miscfiles_read_localization(denyhosts_t)
+sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..6cee08f 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+kernel_list_unlabeled(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
@@ -105,8 +107,10 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
-files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_dirs(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
+files_getattr_all_pipes(devicekit_disk_t)
+files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
@@ -178,17 +182,27 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
+modutils_domtrans_insmod(devicekit_power_t)
+
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
@@ -261,6 +280,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_home_config(devicekit_power_t)
+')
+
+optional_policy(`
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
@@ -280,5 +303,10 @@ optional_policy(`
')
optional_policy(`
+ usbmuxd_stream_connect(devicekit_power_t)
+')
+
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..a307b51 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -111,6 +111,10 @@ optional_policy(`
')
optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 22221ad..bd97d09 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -22,6 +22,8 @@ djbdns_daemontools_domain_template(tinydns)
# Local policy for axfrdns component
#
+files_config_file(djbdns_axfrdns_conf_t)
+
daemontools_ipc_domain(djbdns_axfrdns_t)
daemontools_read_svc(djbdns_axfrdns_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeeba..a50a8a7 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -96,6 +96,10 @@ optional_policy(`
')
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dnsmasq_t)
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b..9a1dcba 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5..09f6f30 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -93,12 +93,14 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
- type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
type dovecot_spool_t, dovecot_var_lib_t;
- type dovecot_var_run_t;
+ type dovecot_var_run_t, dovecot_tmp_t;
+ type dovecot_var_log_t;
type dovecot_cert_t, dovecot_passwd_t;
type dovecot_initrc_exec_t;
+ type dovecot_keytab_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
@@ -112,8 +114,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
- logging_list_logs($1)
- admin_pattern($1, dovecot_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
@@ -121,6 +126,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 14c6a2e..c771d46 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
-files_type(dovecot_cert_t)
+miscfiles_cert_type(dovecot_cert_t)
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
@@ -58,7 +58,7 @@ files_pid_file(dovecot_var_run_t)
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -72,7 +72,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-allow dovecot_t dovecot_etc_t:file read_file_perms;
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
@@ -94,10 +95,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
@@ -159,6 +161,11 @@ optional_policy(`
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
+')
+
+optional_policy(`
postgresql_stream_connect(dovecot_t)
')
@@ -242,6 +249,7 @@ optional_policy(`
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
postfix_search_spool(dovecot_auth_t)
')
@@ -253,19 +261,27 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
+corecmd_exec_bin(dovecot_deliver_t)
+
files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
-logging_search_logs(dovecot_auth_t)
+logging_search_logs(dovecot_deliver_t)
miscfiles_read_localization(dovecot_deliver_t)
@@ -302,4 +318,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
')
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f066..c2570df 100644
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 6bef7f8..0217906 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
########################################
##
+## Execute exim in the exim domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_initrc_domtrans', `
+ gen_require(`
+ type exim_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
+')
+
+########################################
+##
## Do not audit attempts to read,
## exim tmp files
##
@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an exim environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`exim_admin', `
+ gen_require(`
+ type exim_t, exim_initrc_exec_t, exim_log_t;
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, exim_t, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, exim_log_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, exim_tmp_t)
+
+ files_search_spool($1)
+ admin_pattern($1, exim_spool_t)
+
+ files_search_pids($1)
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index db36bfa..b55c438 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
@@ -171,6 +174,10 @@ optional_policy(`
')
optional_policy(`
+ nagios_search_spool(exim_t)
+')
+
+optional_policy(`
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
@@ -184,6 +191,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
')
optional_policy(`
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index f590a1f..e4261f5 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -138,6 +138,26 @@ interface(`fail2ban_read_pid_files',`
########################################
##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+##
## All of the rules required to administrate
## an fail2ban environment
##
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 2a69e5e..fd30b02 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -94,5 +94,9 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index c92403b..f50e0f1 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file)
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
index 7df52c7..54fada0 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@@ -54,4 +54,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index 69dcd2a..a9a9116 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -29,3 +29,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 8a74a83..34a0014 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
##
##
+## Allow ftp servers to use connect to mysql database
+##
+##
+gen_tunable(ftpd_connect_db, false)
+
+##
+##
## Allow ftp to read and write files in the user home directories
##
##
@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
##
gen_tunable(sftpd_full_access, false)
+##