diff --git a/abrt.fc b/abrt.fc
index 1a93dc5..40dda9e 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,41 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908..9d57403 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
-## Automated bug-reporting tool.
+## ABRT - automated bug-reporting tool
+
+######################################
+##
+## Creates types and rules for a basic
+## ABRT daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`abrt_basic_types_template',`
+ gen_require(`
+ attribute abrt_domain;
+ ')
+
+ type $1_t, abrt_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
######################################
##
@@ -40,7 +62,7 @@ interface(`abrt_exec',`
########################################
##
-## Send null signals to abrt.
+## Send a null signal to abrt.
##
##
##
@@ -58,7 +80,7 @@ interface(`abrt_signull',`
########################################
##
-## Read process state of abrt.
+## Allow the domain to read abrt state files in /proc.
##
##
##
@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
+ kernel_search_proc($1)
ps_process_pattern($1, abrt_t)
')
########################################
##
-## Connect to abrt over an unix stream socket.
+## Connect to abrt over a unix stream socket.
##
##
##
@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
#####################################
##
-## Execute abrt-helper in the abrt
-## helper domain.
+## Execute abrt-helper in the abrt-helper domain.
##
##
##
@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
type abrt_helper_t, abrt_helper_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
')
########################################
##
-## Execute abrt helper in the abrt
-## helper domain, and allow the
-## specified role the abrt helper domain.
+## Execute abrt helper in the abrt_helper domain, and
+## allow the specified role the abrt_helper domain.
##
##
##
@@ -163,8 +183,26 @@ interface(`abrt_run_helper',`
########################################
##
-## Create, read, write, and delete
-## abrt cache files.
+## Read abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_read_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+##
+## Append abrt cache
##
##
##
@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
##
##
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## abrt cache content.
+## Read/Write inherited abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Manage abrt cache
##
##
##
@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
- files_search_var($1)
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
####################################
##
-## Read abrt configuration files.
+## Read abrt configuration file.
##
##
##
@@ -220,7 +279,7 @@ interface(`abrt_read_config',`
######################################
##
-## Read abrt log files.
+## Read abrt logs.
##
##
##
@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',`
######################################
##
-## Create, read, write, and delete
-## abrt PID files.
+## Create, read, write, and delete abrt PID files.
##
##
##
@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
+########################################
+##
+## Read and write abrt fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Execute abrt server in the abrt domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`abrt_systemctl',`
+ gen_require(`
+ type abrt_t;
+ type abrt_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 abrt_unit_file_t:file manage_file_perms;
+ allow $1 abrt_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, abrt_t)
+')
+
#####################################
##
-## All of the rules required to
-## administrate an abrt environment,
+## All of the rules required to administrate
+## an abrt environment
##
##
##
@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the abrt domain.
##
##
##
#
interface(`abrt_admin',`
gen_require(`
- attribute abrt_domain;
- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+ type abrt_t, abrt_etc_t;
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
+ type abrt_initrc_exec_t;
+ type abrt_unit_file_t;
')
- allow $1 abrt_domain:process { ptrace signal_perms };
- ps_process_pattern($1, abrt_domain)
+ allow $1 abrt_t:process { signal_perms };
+ ps_process_pattern($1, abrt_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 abrt_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, abrt_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
- files_search_var($1)
- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
+
+ abrt_systemctl($1)
+ admin_pattern($1, abrt_unit_file_t)
+ allow $1 abrt_unit_file_t:service all_service_perms;
+')
+
+####################################
+##
+## Execute abrt-retrace in the abrt-retrace domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`abrt_domtrans_retrace_worker',`
+ gen_require(`
+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+##
+## Manage abrt retrace server cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_manage_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
+##
+## Read abrt retrace server cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_read_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+
+#####################################
+##
+## Read abrt retrace server cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_read_cache_retrace',`
+ gen_require(`
+ type abrt_retrace_cache_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
')
+
+########################################
+##
+## Do not audit attempts to write abrt sock files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`abrt_dontaudit_write_sock_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
+')
+
+########################################
+##
+## Transition to abrt named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_filetrans_named_content',`
+ gen_require(`
+ type abrt_tmp_t;
+ type abrt_etc_t;
+ type abrt_var_cache_t;
+ type abrt_var_run_t;
+ ')
+
+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f07..021ddae 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
#
##
-##
-## Determine whether ABRT can modify
-## public files used for public file
-## transfer services.
-##
+##
+## Allow ABRT to modify public files
+## used for public file transfer services.
+##
##
gen_tunable(abrt_anon_write, false)
@@ -37,13 +36,15 @@ attribute abrt_domain;
attribute_role abrt_helper_roles;
roleattribute system_r abrt_helper_roles;
-type abrt_t, abrt_domain;
-type abrt_exec_t;
+abrt_basic_types_template(abrt)
init_daemon_domain(abrt_t, abrt_exec_t)
type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
type abrt_etc_t;
files_config_file(abrt_etc_t)
@@ -55,69 +56,75 @@ files_tmp_file(abrt_tmp_t)
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
+userdom_user_tmp_content(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
-type abrt_dump_oops_t, abrt_domain;
-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
-type abrt_handle_event_t, abrt_domain;
-type abrt_handle_event_exec_t;
-domain_type(abrt_handle_event_t)
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
role system_r types abrt_handle_event_t;
-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
+# type needed to allow all domains
+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
application_domain(abrt_helper_t, abrt_helper_exec_t)
role abrt_helper_roles types abrt_helper_t;
-type abrt_retrace_coredump_t, abrt_domain;
-type abrt_retrace_coredump_exec_t;
-domain_type(abrt_retrace_coredump_t)
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-role system_r types abrt_retrace_coredump_t;
-
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
type abrt_retrace_cache_t;
files_type(abrt_retrace_cache_t)
type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
-type abrt_watch_log_t, abrt_domain;
-type abrt_watch_log_exec_t;
+abrt_basic_types_template(abrt_watch_log)
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-type abrt_upload_watch_t, abrt_domain;
-type abrt_upload_watch_exec_t;
+abrt_basic_types_template(abrt_upload_watch)
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
+
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
########################################
#
-# Local policy
+# abrt local policy
#
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
-allow abrt_t self:tcp_socket { accept listen };
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
-allow abrt_t abrt_etc_t:dir list_dir_perms;
+# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -125,23 +132,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
+# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
+# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-can_exec(abrt_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
@@ -150,16 +163,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
-corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
-
-corenet_sendrecv_all_client_packets(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
@@ -176,29 +187,39 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
-files_read_usr_files(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
files_list_mnt(abrt_t)
+fs_list_all(abrt_t)
+fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+
auth_use_nsswitch(abrt_t)
-logging_read_generic_logs(abrt_t)
+init_read_utmp(abrt_t)
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
@@ -206,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
- apache_read_module_files(abrt_t)
+ apache_read_modules(abrt_t)
')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(abrt_t)
- ')
')
optional_policy(`
@@ -222,6 +239,20 @@ optional_policy(`
')
optional_policy(`
+ kdump_read_crash(abrt_t)
+')
+
+optional_policy(`
+ mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -233,6 +264,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
+# to install debuginfo packages
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
@@ -243,6 +275,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
+# to run mailx plugin
optional_policy(`
sendmail_domtrans(abrt_t)
')
@@ -253,9 +286,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
+optional_policy(`
+ sssd_stream_connect(abrt_t)
+')
+
+optional_policy(`
+ xserver_read_log(abrt_t)
+')
+
#######################################
#
-# Handle-event local policy
+# abrt-handle-event local policy
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
+optional_policy(`
+ unconfined_domain(abrt_handle_event_t)
+')
+
########################################
#
-# Helper local policy
+# abrt--helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
auth_use_nsswitch(abrt_helper_t)
+logging_send_syslog_msg(abrt_helper_t)
+
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
')
#######################################
#
-# Retrace coredump policy
+# abrt retrace coredump policy
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
-files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+# to install debuginfo packages
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +410,11 @@ optional_policy(`
#######################################
#
-# Retrace worker policy
+# abrt retrace worker policy
#
-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +433,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
-files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
sysnet_dns_name_resolve(abrt_retrace_worker_t)
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
+ mock_manage_lib_files(abrt_t)
+')
+
########################################
#
-# Dump oops local policy
+# abrt_dump_oops local policy
#
allow abrt_dump_oops_t self:capability dac_override;
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
files_search_spool(abrt_dump_oops_t)
manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+kernel_read_debugfs(abrt_dump_oops_t)
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
#######################################
#
@@ -404,7 +482,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
@@ -413,16 +491,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
#######################################
#
# Upload watch local policy
#
+allow abrt_upload_watch_t self:capability dac_override;
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
corecmd_exec_bin(abrt_upload_watch_t)
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
+
tunable_policy(`abrt_upload_watch_anon_write',`
- miscfiles_manage_public_files(abrt_upload_watch_t)
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(abrt_upload_watch_t)
')
#######################################
@@ -430,10 +534,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
-kernel_read_system_state(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9a..a5ed692 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',`
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
+#
+interface(`accountsd_systemctl',`
+ gen_require(`
+ type accountsd_t;
+ type accountsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 accountsd_unit_file_t:file read_file_perms;
+ allow $1 accountsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, accountsd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an accountsd environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`accountsd_admin',`
gen_require(`
type accountsd_t;
+ type accountsd_unit_file_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms };
+ allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 accountsd_t:process ptrace;
+ ')
+
accountsd_manage_lib_files($1)
+
+ accountsd_systemctl($1)
+ admin_pattern($1, accountsd_unit_file_t)
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
index 3593510..b6a0f70 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+')
+
########################################
#
# Declarations
@@ -11,11 +15,15 @@ gen_require(`
type accountsd_t;
type accountsd_exec_t;
-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
+type accountsd_unit_file_t;
+systemd_unit_file(accountsd_unit_file_t)
+
########################################
#
# Local policy
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
dev_read_sysfs(accountsd_t)
files_read_mnt_files(accountsd_t)
-files_read_usr_files(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
@@ -66,9 +73,16 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_domain(accountsd_t, accountsd_exec_t)
+')
+
+optional_policy(`
policykit_dbus_chat(accountsd_t)
')
optional_policy(`
xserver_read_xdm_tmp_files(accountsd_t)
+ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
')
diff --git a/acct.if b/acct.if
index 81280d0..bc4038b 100644
--- a/acct.if
+++ b/acct.if
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
########################################
##
+## Dontaudit Attempts to list acct_data directory
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`acct_dontaudit_list_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
+
+#######################################
+##
## All of the rules required to
## administrate an acct environment.
##
@@ -103,9 +121,13 @@ interface(`acct_admin',`
type acct_t, acct_initrc_exec_t, acct_data_t;
')
- allow $1 acct_t:process { ptrace signal_perms };
+ allow $1 acct_t:process { signal_perms };
ps_process_pattern($1, acct_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 acct_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, acct_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
index 8b9ad83..f4f2486 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
dev_read_sysfs(acct_t)
dev_read_urand(acct_t)
-domain_use_interactive_fds(acct_t)
-
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
auth_use_nsswitch(acct_t)
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
logging_send_syslog_msg(acct_t)
-miscfiles_read_localization(acct_t)
-
userdom_dontaudit_search_user_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/ada.te b/ada.te
index 8d42c97..2377f8f 100644
--- a/ada.te
+++ b/ada.te
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
allow ada_t self:process { execstack execmem };
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.if b/afs.if
index 3b41be6..97d99f9 100644
--- a/afs.if
+++ b/afs.if
@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
########################################
##
+## Read AFS config data
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`afs_read_config',`
+ gen_require(`
+ type afs_config_t;
+ ')
+
+ read_files_pattern($1, afs_config_t, afs_config_t)
+')
+
+########################################
+##
## Read and write afs cache files.
##
##
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
interface(`afs_admin',`
gen_require(`
attribute afs_domain;
- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
type afs_ka_db_t, afs_vl_db_t, afs_config_t;
type afs_logfile_t, afs_cache_t, afs_files_t;
')
- allow $1 afs_domain:process { ptrace signal_perms };
- ps_process_pattern($1, afs_domain)
+ allow $1 afs_t:process signal_perms;
+ ps_process_pattern($1, afs_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 afs_t:process ptrace;
+ ')
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
index 90ce637..2e9f5d9 100644
--- a/afs.te
+++ b/afs.te
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
files_mounton_mnt(afs_t)
-files_read_usr_files(afs_t)
files_rw_etc_runtime_files(afs_t)
fs_getattr_xattr_fs(afs_t)
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
logging_send_syslog_msg(afs_t)
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
########################################
#
# AFS bossserver local policy
@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_node(afs_bosserver_t)
@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
seutil_read_config(afs_bosserver_t)
@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
files_list_pids(afs_fsserver_t)
files_dontaudit_search_mnt(afs_fsserver_t)
@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
seutil_read_config(afs_kaserver_t)
@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+sysnet_read_config(afs_ptserver_t)
+
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
allow afs_domain self:udp_socket create_socket_perms;
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
+allow afs_domain afs_config_t:dir list_dir_perms;
sysnet_read_config(afs_domain)
+
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb9..fbe187f 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
type aiccu_var_run_t;
')
- allow $1 aiccu_t:process { ptrace signal_perms };
+ allow $1 aiccu_t:process signal_perms;
ps_process_pattern($1, aiccu_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aiccu_t:process ptrace;
+ ')
+
aiccu_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
index 5d2b90e..f1cf098 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
corenet_tcp_sendrecv_generic_node(aiccu_t)
-
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t)
dev_read_rand(aiccu_t)
dev_read_urand(aiccu_t)
-files_read_etc_files(aiccu_t)
-logging_send_syslog_msg(aiccu_t)
+auth_read_passwd(aiccu_t)
-miscfiles_read_localization(aiccu_t)
+logging_send_syslog_msg(aiccu_t)
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
+++ b/aide.if
@@ -67,9 +67,13 @@ interface(`aide_admin',`
type aide_t, aide_db_t, aide_log_t;
')
- allow $1 aide_t:process { ptrace signal_perms };
+ allow $1 aide_t:process signal_perms;
ps_process_pattern($1, aide_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aide_t:process ptrace;
+ ')
+
aide_run($1, $2)
files_list_etc($1)
diff --git a/aide.te b/aide.te
index 03831e6..cfc9115 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
type aide_t;
type aide_exec_t;
application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
role aide_roles types aide_t;
type aide_log_t;
@@ -23,22 +24,30 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+ prelink_domtrans(aide_t)
+')
optional_policy(`
seutil_use_newrole_fds(aide_t)
diff --git a/aisexec.if b/aisexec.if
index a2997fa..861cebd 100644
--- a/aisexec.if
+++ b/aisexec.if
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
type aisexec_initrc_exec_t;
')
- allow $1 aisexec_t:process { ptrace signal_perms };
+ allow $1 aisexec_t:process signal_perms;
ps_process_pattern($1, aisexec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 aisexec_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
index 4e4f063..808e067 100644
--- a/aisexec.te
+++ b/aisexec.te
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
corenet_all_recvfrom_unlabeled(aisexec_t)
corenet_all_recvfrom_netlabel(aisexec_t)
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
logging_send_syslog_msg(aisexec_t)
-miscfiles_read_localization(aisexec_t)
-
userdom_rw_unpriv_user_semaphores(aisexec_t)
userdom_rw_unpriv_user_shared_mem(aisexec_t)
@@ -105,6 +104,11 @@ optional_policy(`
')
optional_policy(`
+ corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
rhcs_rw_dlm_controld_semaphores(aisexec_t)
rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
--- /dev/null
+++ b/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/ajaxterm.if b/ajaxterm.if
new file mode 100644
index 0000000..7abe946
--- /dev/null
+++ b/ajaxterm.if
@@ -0,0 +1,90 @@
+## policy for ajaxterm
+
+########################################
+##
+## Execute a domain transition to run ajaxterm.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ajaxterm_domtrans',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_exec_t;
+ ')
+
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+##
+## Execute ajaxterm server in the ajaxterm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ajaxterm_initrc_domtrans',`
+ gen_require(`
+ type ajaxterm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+##
+## Read and write the ajaxterm pty type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ajaxterm_rw_ptys',`
+ gen_require(`
+ type ajaxterm_devpts_t;
+ ')
+
+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ajaxterm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process signal_perms;
+ ps_process_pattern($1, ajaxterm_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ajaxterm_t:process ptrace;
+ ')
+
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
index 0000000..a95a4ad
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,60 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/alsa.fc b/alsa.fc
index 33d9d31..03a150d 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -23,4 +23,8 @@ ifdef(`distro_debian',`
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index ca8d8cf..2cc5ce6 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
+ alsa_filetrans_home_content($1)
')
########################################
@@ -210,51 +211,87 @@ interface(`alsa_relabel_home_files',`
########################################
##
-## Create objects in user home
-## directories with the generic alsa
-## home type.
+## Read Alsa lib files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+########################################
+##
+## Transition to alsa named content
+##
+##
##
-## Class of the object being created.
+## Domain allowed access.
##
##
-##
+#
+interface(`alsa_filetrans_home_content',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+##
+## Transition to alsa named content
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
gen_require(`
type alsa_home_t;
+ type alsa_etc_rw_t;
+ type alsa_var_lib_t;
')
- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
')
########################################
##
-## Read Alsa lib files.
+## Execute alsa server in the alsa domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
gen_require(`
- type alsa_var_lib_t;
+ type alsa_t;
+ type alsa_unit_file_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, alsa_t)
')
#########################################
diff --git a/alsa.te b/alsa.te
index 4b153f1..2403849 100644
--- a/alsa.te
+++ b/alsa.te
@@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
########################################
#
# Local policy
#
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
@@ -57,6 +64,11 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
@@ -67,7 +79,6 @@ dev_read_sysfs(alsa_t)
dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
-files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
@@ -80,8 +91,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
-miscfiles_read_localization(alsa_t)
-
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,5 +1,6 @@
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
+
/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
index 519051c..f5784a5 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
type amanda_t;
+type amanda_exec_t;
type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
+type amanda_unit_file_t;
+systemd_unit_file(amanda_unit_file_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
@@ -60,7 +63,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:process { getsched setsched setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
-corenet_all_recvfrom_unlabeled(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_generic_node(amanda_t)
+corenet_tcp_bind_amanda_port(amanda_t)
+corenet_udp_bind_amanda_port(amanda_t)
+
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
+dev_read_urand(amanda_t)
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
logging_search_logs(amanda_recover_t)
-miscfiles_read_localization(amanda_recover_t)
-
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+')
+
+optional_policy(`
+ fstools_domtrans(amanda_t)
+ fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
index 17689a7..8aa6849 100644
--- a/amavis.fc
+++ b/amavis.fc
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
')
-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
index 60d4f8c..18ef077 100644
--- a/amavis.if
+++ b/amavis.if
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
files_search_spool($1)
read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ allow $1 amavis_spool_t:dir list_dir_perms;
')
########################################
@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
########################################
##
+## Read and write amavis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`amavis_rw_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
## Create, read, write, and delete
## amavis lib files.
##
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
')
- allow $1 amavis_t:process { ptrace signal_perms };
+ allow $1 amavis_t:process signal_perms;
ps_process_pattern($1, amavis_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 amavis_t:process ptrace;
+ ')
+
amavis_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
index 91fa72a..0b1afd6 100644
--- a/amavis.te
+++ b/amavis.te
@@ -39,7 +39,7 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
########################################
#
@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
-corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_udp_sendrecv_generic_if(amavis_t)
@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_sendrecv_razor_client_packets(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_sysfs(amavis_t)
@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
domain_dontaudit_read_all_domains_state(amavis_t)
files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
files_search_spool(amavis_t)
fs_getattr_xattr_fs(amavis_t)
@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
-miscfiles_read_localization(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
+
+sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
tunable_policy(`amavis_use_jit',`
- allow amavis_t self:process execmem;
+ allow amavis_t self:process execmem;
',`
- dontaudit amavis_t self:process execmem;
+ dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(amavis_t)
')
optional_policy(`
@@ -173,6 +181,10 @@ optional_policy(`
')
optional_policy(`
+ nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
postfix_read_config(amavis_t)
postfix_list_spool(amavis_t)
')
diff --git a/amtu.te b/amtu.te
index 16d0d66..60abfd0 100644
--- a/amtu.te
+++ b/amtu.te
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
files_read_etc_runtime_files(amtu_t)
-files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.te b/anaconda.te
index aa44abf..16a6342 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+')
+
########################################
#
# Declarations
@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(anaconda_t)
optional_policy(`
rpm_domtrans(anaconda_t)
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..9d5214b
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,43 @@
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
+
+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0)
+
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0)
+
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
index 0000000..df5b3be
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,322 @@
+## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan
+
+######################################
+##
+## Creates types and rules for a basic
+## antivirus domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+interface(`antivirus_domain_template',`
+ gen_require(`
+ attribute antivirus_domain;
+ ')
+
+ typeattribute $1 antivirus_domain;
+')
+
+#######################################
+##
+## Execute a domain transition to run antivirus program.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`antivirus_domtrans',`
+ gen_require(`
+ type antivirus_t, antivirus_exec_t;
+ ')
+
+ domtrans_pattern($1, antivirus_exec_t, antivirus_t)
+')
+
+#######################################
+##
+## Execute antivirus program without a transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_exec',`
+ gen_require(`
+ type antivirus_exec_t;
+ ')
+
+ can_exec($1, antivirus_exec_t)
+')
+
+#######################################
+##
+## Connect to run antivirus program.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_stream_connect',`
+ gen_require(`
+ type antivirus_t, antivirus_db_t, antivirus_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
+ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
+')
+
+#######################################
+##
+## Allow the specified domain to append
+## to antivirus log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_append_log',`
+ gen_require(`
+ type antivirus_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 antivirus_log_t:dir list_dir_perms;
+ append_files_pattern($1, antivirus_log_t, antivirus_log_t)
+')
+
+#######################################
+##
+## Read antivirus configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_read_config',`
+ gen_require(`
+ type antivirus_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 antivirus_conf_t:file read_file_perms;
+')
+
+#######################################
+##
+## Search antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_search_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ allow $1 antivirus_db_t:dir search_dir_perms;
+')
+
+######################################
+##
+## Read antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_read_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ read_files_pattern($1, antivirus_db_t, antivirus_db_t)
+ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#####################################
+##
+## Read and write antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_rw_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ write_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+####################################
+##
+## Manage antivirus db content directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_manage_db',`
+ gen_require(`
+ type antivirus_db_t;
+ ')
+
+ files_search_var_lib($1)
+ files_search_spool($1)
+ manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
+ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#######################################
+##
+## Manage antivirus pid content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_manage_pid',`
+ gen_require(`
+ type antivirus_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+')
+
+######################################
+##
+## Read antivirus state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`antivirus_read_state_clamd',`
+ gen_require(`
+ type antivirus_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, antivirus_t)
+')
+
+######################################
+##
+## Execute antivirus server in the antivirus domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`antivirus_systemctl',`
+ gen_require(`
+ type antivirus_t;
+ type antivirus_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 antivirus_unit_file_t:file read_file_perms;
+ allow $1 antivirus_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, antivirus_t)
+')
+
+#######################################
+##
+## All of the rules required to administrate
+## an antivirus programs environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the clamav domain.
+##
+##
+##
+#
+interface(`antivirus_admin',`
+ gen_require(`
+ attribute antivirus_domain;
+ type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
+ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
+ type antivirus_initrc_exec_t, antivirus_unit_file_t;
+ ')
+
+ allow $1 antivirus_t:process signal_perms;
+ ps_process_pattern($1, antivirus_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 antivirus_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 antivirus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ antivirus_systemctl($1)
+ admin_pattern($1, antivirus_unit_file_t)
+ allow $1 antivirus_unit_file_t:service all_service_perms;
+
+ files_list_etc($1)
+ admin_pattern($1, antivirus_conf_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, antivirus_db_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, antivirus_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, antivirus_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, antivirus_tmp_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000..8ba9c95
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,274 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow antivirus programs to read non security files on a system
+##
+##
+gen_tunable(antivirus_can_scan_system, false)
+
+##
+##
+## Determine whether can antivirus programs use JIT compiler.
+##
+##
+gen_tunable(antivirus_use_jit, false)
+
+attribute antivirus_domain;
+
+type antivirus_t;
+type antivirus_exec_t;
+typeattribute antivirus_t antivirus_domain;
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
+init_script_file(antivirus_initrc_exec_t)
+
+type antivirus_unit_file_t;
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
+typealias antivirus_conf_t alias { clamd_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
+files_pid_file(antivirus_var_run_t)
+
+type antivirus_log_t;
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
+logging_log_file(antivirus_log_t)
+
+type antivirus_db_t;
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
+files_type(antivirus_db_t)
+
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
+type antivirus_tmp_t;
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
+files_tmp_file(antivirus_tmp_t)
+
+########################################
+#
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_override chown kill setgid setuid };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
+allow antivirus_domain self:tcp_socket { listen accept };
+
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
+
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
+
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
+kernel_read_network_state(antivirus_t)
+kernel_read_net_sysctls(antivirus_t)
+kernel_read_kernel_sysctls(antivirus_domain)
+kernel_read_sysctl(antivirus_domain)
+kernel_read_system_state(antivirus_t)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
+corenet_all_recvfrom_netlabel(antivirus_t)
+corenet_tcp_sendrecv_generic_if(antivirus_t)
+corenet_udp_sendrecv_generic_if(antivirus_t)
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
+corenet_udp_sendrecv_generic_node(antivirus_domain)
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
+corenet_udp_sendrecv_all_ports(antivirus_domain)
+corenet_tcp_bind_generic_node(antivirus_domain)
+corenet_udp_bind_generic_node(antivirus_domain)
+
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
+
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
+
+corenet_sendrecv_generic_server_packets(antivirus_domain)
+corenet_udp_bind_generic_port(antivirus_domain)
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
+
+corenet_sendrecv_razor_client_packets(antivirus_domain)
+corenet_tcp_connect_razor_port(antivirus_domain)
+corenet_tcp_connect_agentx_port(antivirus_domain)
+
+corenet_tcp_connect_clamd_port(antivirus_domain)
+
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
+corenet_tcp_bind_clamd_port(antivirus_domain)
+
+corenet_sendrecv_http_client_packets(antivirus_domain)
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
+
+dev_read_rand(antivirus_domain)
+dev_read_sysfs(antivirus_domain)
+dev_read_urand(antivirus_domain)
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
+fs_getattr_xattr_fs(antivirus_domain)
+
+auth_use_nsswitch(antivirus_t)
+auth_dontaudit_read_shadow(antivirus_domain)
+
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
+init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
+miscfiles_read_generic_certs(antivirus_domain)
+
+sysnet_use_ldap(antivirus_domain)
+
+userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
+ #files_dontaudit_read_all_non_security_files(antivirus_domain)
+ files_dontaudit_read_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
+ dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
+ allow antivirus_domain self:process execmem;
+ allow antivirus_domain self:process execmem;
+',`
+ dontaudit antivirus_domain self:process execmem;
+ dontaudit antivirus_domain self:process execmem;
+')
+
+optional_policy(`
+ apache_read_sys_content(antivirus_domain)
+')
+
+optional_policy(`
+ antivirus_systemctl(antivirus_domain)
+')
+
+optional_policy(`
+ cron_system_entry(antivirus_t, antivirus_exec_t)
+ cron_use_fds(antivirus_domain)
+ cron_use_system_job_fds(antivirus_domain)
+ cron_rw_pipes(antivirus_domain)
+')
+
+optional_policy(`
+ dcc_domtrans_client(antivirus_domain)
+ dcc_stream_connect_dccifd(antivirus_domain)
+')
+
+optional_policy(`
+ exim_read_spool_files(antivirus_domain)
+')
+
+optional_policy(`
+ mta_read_config(antivirus_domain)
+ mta_read_queue(antivirus_domain)
+ mta_send_mail(antivirus_domain)
+')
+
+optional_policy(`
+ nslcd_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+ mysql_stream_connect(antivirus_domain)
+ corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
+ postfix_read_config(antivirus_domain)
+ postfix_list_spool(antivirus_domain)
+')
+
+optional_policy(`
+ pyzor_domtrans(antivirus_domain)
+ pyzor_signal(antivirus_domain)
+')
+
+optional_policy(`
+ razor_domtrans(antivirus_domain)
+')
+
+optional_policy(`
+ snmp_manage_var_lib_dirs(antivirus_domain)
+ snmp_manage_var_lib_files(antivirus_domain)
+ snmp_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_exec(antivirus_domain)
+ spamassassin_exec_client(antivirus_domain)
+ spamassassin_read_lib_files(antivirus_domain)
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 7caefc3..082e31e 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,162 +1,194 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+')
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
diff --git a/apache.if b/apache.if
index f6eb485..fac6fe5 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
-## Various web servers.
+## Apache web server
########################################
##
-## Create a set of derived types for
-## httpd web content.
+## Create a set of derived types for apache
+## web content.
##
##
##
@@ -13,118 +13,101 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
- type httpd_t, httpd_suexec_t;
+ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
+ attribute httpd_script_type, httpd_content_type;
')
- ########################################
- #
- # Declarations
- #
-
- ##
- ##
- ## Determine whether the script domain can
- ## modify public files used for public file
- ## transfer services. Directories/Files must
- ## be labeled public_content_rw_t.
- ##
- ##
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- type httpd_$1_content_t, httpdcontent; # customizable
+ #This type is for webpages
+ type httpd_$1_content_t; # customizable;
+ typeattribute httpd_$1_content_t httpd_content_type;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
+ # This type is used for .htaccess files
+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
+ typeattribute httpd_$1_htaccess_t httpd_content_type;
files_type(httpd_$1_htaccess_t)
- type httpd_$1_script_t, httpd_script_domains;
+ # Type that CGI scripts run as
+ type httpd_$1_script_t, httpd_script_type;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
+ kernel_read_system_state(httpd_$1_script_t)
+
+ # This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
+ typeattribute httpd_$1_script_exec_t httpd_content_type;
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t; # customizable
+ typeattribute httpd_$1_rw_content_t httpd_content_type;
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t, httpd_content_type; # customizable
+ typeattribute httpd_$1_ra_content_t httpd_content_type;
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
- ########################################
- #
- # Policy
- #
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
- ')
+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
- can_exec(httpd_t, httpd_$1_rw_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
- ')
- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
- ')
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
')
')
########################################
##
-## Role access for apache.
+## Role access for apache
##
##
##
@@ -133,47 +116,61 @@ template(`apache_content_template',`
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
- type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+ apache_exec_modules($2)
+ apache_filetrans_home_content($2)
tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
@@ -184,7 +181,7 @@ interface(`apache_role',`
########################################
##
-## Read user httpd script executable files.
+## Read httpd user scripts executables.
##
##
##
@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
########################################
##
-## Read user httpd content.
+## Read user web content.
##
##
##
@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
########################################
##
-## Execute httpd with a domain transition.
+## Transition to apache.
##
##
##
@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
-########################################
+######################################
##
-## Execute httpd server in the httpd domain.
+## Allow the specified domain to execute apache
+## in the caller domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
gen_require(`
- type httpd_initrc_exec_t;
+ type httpd_exec_t;
')
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ can_exec($1, httpd_exec_t)
+')
+
+######################################
+##
+## Allow the specified domain to execute apache suexec
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_exec_suexec',`
+ gen_require(`
+ type httpd_suexec_exec_t;
+ ')
+
+ can_exec($1, httpd_suexec_exec_t)
')
#######################################
##
-## Send generic signals to httpd.
+## Send a generic signal to apache.
##
##
##
@@ -279,7 +296,7 @@ interface(`apache_signal',`
########################################
##
-## Send null signals to httpd.
+## Send a null signal to apache.
##
##
##
@@ -297,7 +314,7 @@ interface(`apache_signull',`
########################################
##
-## Send child terminated signals to httpd.
+## Send a SIGCHLD signal to apache.
##
##
##
@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
########################################
##
-## Inherit and use file descriptors
-## from httpd.
+## Inherit and use file descriptors from Apache.
##
##
##
@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
########################################
##
-## Do not audit attempts to read and
-## write httpd unnamed pipes.
+## Do not audit attempts to read and write Apache
+## unnamed pipes.
##
##
##
@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Do not audit attempts to read and
-## write httpd unix domain stream sockets.
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
##
##
##
@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
##
-## Do not audit attempts to read and
-## write httpd TCP sockets.
+## Do not audit attempts to read and write Apache
+## TCP sockets.
##
##
##
@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
##
-## Create, read, write, and delete
-## all httpd content.
+## Create, read, write, and delete all web content.
##
##
##
@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
########################################
##
-## Set attributes httpd cache directories.
+## Allow domain to set the attributes
+## of the APACHE cache directory.
##
##
##
@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
##
-## List httpd cache directories.
+## Allow the specified domain to list
+## Apache cache.
##
##
##
@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
########################################
##
-## Read and write httpd cache files.
+## Allow the specified domain to read
+## and write Apache cache files.
##
##
##
@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
########################################
##
-## Delete httpd cache directories.
+## Allow the specified domain to delete
+## Apache cache dirs.
##
##
##
@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
########################################
##
-## Delete httpd cache files.
+## Allow the specified domain to delete
+## Apache cache.
##
##
##
@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
########################################
##
-## Read httpd configuration files.
+## Allow the specified domain to search
+## apache configuration dirs.
##
##
##
## Domain allowed access.
##
##
-##
#
-interface(`apache_read_config',`
+interface(`apache_search_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
- allow $1 httpd_config_t:dir list_dir_perms;
- read_files_pattern($1, httpd_config_t, httpd_config_t)
- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+ allow $1 httpd_config_t:dir search_dir_perms;
')
########################################
##
-## Search httpd configuration directories.
+## Allow the specified domain to read
+## apache configuration files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`apache_search_config',`
+interface(`apache_read_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
- allow $1 httpd_config_t:dir search_dir_perms;
+ allow $1 httpd_config_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
')
########################################
##
-## Create, read, write, and delete
-## httpd configuration files.
+## Allow the specified domain to manage
+## apache configuration files.
##
##
##
@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
########################################
##
-## Execute the Apache helper program
-## with a domain transition.
+## Execute the Apache helper program with
+## a domain transition.
##
##
##
@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
- attribute_role httpd_helper_roles;
+ type httpd_helper_t;
')
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
')
########################################
##
-## Read httpd log files.
+## dontaudit attempts to read
+## apache log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_dontaudit_read_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to read
+## apache log files.
##
##
##
@@ -639,7 +683,8 @@ interface(`apache_read_log',`
########################################
##
-## Append httpd log files.
+## Allow the specified domain to append
+## to apache log files.
##
##
##
@@ -657,10 +702,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
+#######################################
+##
+## Allow the specified domain to write
+## to apache log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_write_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ allow $1 httpd_log_t:file write;
+')
+
########################################
##
-## Do not audit attempts to append
-## httpd log files.
+## Do not audit attempts to append to the
+## Apache logs.
##
##
##
@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
########################################
##
-## Create, read, write, and delete
-## httpd log files.
+## Allow the specified domain to manage
+## to apache log files.
##
##
##
@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
-#######################################
+########################################
##
-## Write apache log files.
+## Do not audit attempts to search Apache
+## module directories.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`apache_write_log',`
+interface(`apache_dontaudit_search_modules',`
gen_require(`
- type httpd_log_t;
+ type httpd_modules_t;
')
- logging_search_logs($1)
- write_files_pattern($1, httpd_log_t, httpd_log_t)
+ dontaudit $1 httpd_modules_t:dir search_dir_perms;
')
########################################
##
-## Do not audit attempts to search
-## httpd module directories.
+## Allow the specified domain to read
+## the apache module directories.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`apache_dontaudit_search_modules',`
+interface(`apache_read_modules',`
gen_require(`
type httpd_modules_t;
')
- dontaudit $1 httpd_modules_t:dir search_dir_perms;
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
##
-## List httpd module directories.
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
##
##
##
@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
##
-## Execute httpd module files.
+## Allow the specified domain to execute
+## apache modules.
##
##
##
@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
########################################
##
-## Read httpd module files.
+## Execute a domain transition to run httpd_rotatelogs.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`apache_read_module_files',`
+interface(`apache_domtrans_rotatelogs',`
gen_require(`
- type httpd_modules_t;
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
- libs_search_lib($1)
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
-########################################
+#######################################
##
-## Execute a domain transition to
-## run httpd_rotatelogs.
+## Execute httpd_rotatelogs in the caller domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
#
-interface(`apache_domtrans_rotatelogs',`
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
+ ')
+
+ can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+##
+## Execute httpd system scripts in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apache_exec_sys_script',`
gen_require(`
- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ type httpd_sys_script_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
')
########################################
##
-## List httpd system content directories.
+## Allow the specified domain to list
+## apache system content files.
##
##
##
@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
########################################
##
-## Create, read, write, and delete
-## httpd system content files.
+## Allow the specified domain to manage
+## apache system content files.
##
##
##
@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
##
##
#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
##
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
+## apache system content rw files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_read_sys_content_rw_files',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+##
+## Allow the specified domain to read
+## apache system content rw dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_sys_content_rw_dirs',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+##
+## Allow the specified domain to manage
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
########################################
##
-## Execute all httpd scripts in the
-## system script domain.
+## Allow the specified domain to delete
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+##
+## Execute all web scripts in the system
+## script domain.
##
##
##
@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
##
##
#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
########################################
##
-## Do not audit attempts to read and
-## write httpd system script unix
-## domain stream sockets.
+## Do not audit attempts to read and write Apache
+## system script unix domain stream sockets.
##
##
##
@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
##
## Execute all user scripts in the user
-## script domain. Add user script domains
+## script domain. Add user script domains
## to the specified role.
##
##
@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
##
##
+##
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
########################################
##
-## Read httpd squirrelmail data files.
+## Allow the specified domain to read
+## apache squirrelmail data.
##
##
##
@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
##
-## Append httpd squirrelmail data files.
+## Allow the specified domain to append
+## apache squirrelmail data.
##
##
##
@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
##
-## Search httpd system content.
+## Search apache system content.
##
##
##
@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
- files_search_var($1)
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
########################################
##
-## Read httpd system content.
+## Read apache system content.
##
##
##
@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
########################################
##
-## Search httpd system CGI directories.
+## Search apache system CGI directories.
##
##
##
@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
########################################
##
-## Create, read, write, and delete all
-## user httpd content.
+## Create, read, write, and delete all user web content.
##
##
##
@@ -1071,18 +1231,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
- type httpd_user_htaccess_t, httpd_user_script_exec_t;
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
')
- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
')
########################################
##
-## Search system script state directories.
+## Search system script state directory.
##
##
##
@@ -1100,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
########################################
##
-## Read httpd tmp files.
+## Allow the specified domain to read
+## apache tmp files.
##
##
##
@@ -1117,10 +1281,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
+######################################
+##
+## Dontaudit attempts to read and write
+## apache tmp files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
########################################
##
-## Do not audit attempts to write
-## httpd tmp files.
+## Dontaudit attempts to write
+## apache tmp files.
##
##
##
@@ -1133,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
- dontaudit $1 httpd_tmp_t:file write_file_perms;
+ dontaudit $1 httpd_tmp_t:file write;
')
########################################
@@ -1142,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
##
##
##
+## Execute CGI in the specified domain.
+##
+##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
@@ -1171,8 +1357,30 @@ interface(`apache_cgi_domain',`
########################################
##
-## All of the rules required to
-## administrate an apache environment.
+## Execute httpd server in the httpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apache_systemctl',`
+ gen_require(`
+ type httpd_t;
+ type httpd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
+ allow $1 httpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, httpd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate an apache environment
##
##
##
@@ -1189,18 +1397,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
- type httpd_initrc_exec_t, httpd_keytab_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_unit_file_t;
')
- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+ allow $1 httpd_t:process signal_perms;
+ ps_process_pattern($1, httpd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1210,10 +1419,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
- admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1433,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+
+ apache_systemctl($1)
+ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ apache_filetrans_named_content($1)
+')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+##
+## Transition to apache named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_filetrans_named_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ type httpd_tmp_t;
+ ')
+
+
+ apache_filetrans_home_content($1)
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+##
+## Allow any httpd_exec_t to be an entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_entrypoint',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+ allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+##
+## Execute a httpd_exec_t in the specified domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`apache_exec_domtrans',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+##
+## Transition to apache home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 6649962..0e09bca 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
-##
-## Determine whether httpd can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+##
##
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
##
-##
-## Determine whether httpd can use mod_auth_pam.
-##
+##
+## Allow Apache to use mod_auth_pam
+##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_mod_auth_pam, false)
##
-##
-## Determine whether httpd can use built in scripting.
-##
+##
+## Allow Apache to use mod_auth_ntlm_winbind
+##
##
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
##
-##
-## Determine whether httpd can check spam.
-##
+##
+## Allow httpd scripts and modules execmem/execstack
+##
##
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_execmem, false)
##
-##
-## Determine whether httpd scripts and modules
-## can connect to the network using TCP.
-##
+##
+## Allow httpd processes to manage IPA content
+##
+##
+gen_tunable(httpd_manage_ipa, false)
+
+##
+##
+## Allow httpd to use built in scripting (usually php)
+##
+##
+gen_tunable(httpd_builtin_scripting, false)
+
+##
+##
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+##
##
gen_tunable(httpd_can_network_connect, false)
##
-##
-## Determine whether httpd scripts and modules
-## can connect to cobbler over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##
##
gen_tunable(httpd_can_network_connect_cobbler, false)
##
-##
-## Determine whether scripts and modules can
-## connect to databases over the network.
-##
+##
+## Allow HTTPD scripts and modules to server cobbler files.
+##
##
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
##
-##
-## Determine whether httpd can connect to
-## ldap over the network.
-##
+##
+## Allow HTTPD to connect to port 80 for graceful shutdown
+##
##
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
##
-##
-## Determine whether httpd can connect
-## to memcache server over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to databases over the network.
+##
##
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_connect_db, false)
##
-##
-## Determine whether httpd can act as a relay.
-##
+##
+## Allow httpd to connect to memcache server
+##
+##
+gen_tunable(httpd_can_network_memcache, false)
+
+##
+##
+## Allow httpd to act as a relay
+##
##
gen_tunable(httpd_can_network_relay, false)
##
-##
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-##
+##
+## Allow http daemon to connect to zabbix
+##
##
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_connect_zabbix, false)
##
-##
-## Determine whether httpd can send mail.
-##
+##
+## Allow http daemon to connect to mythtv
+##
##
-gen_tunable(httpd_can_sendmail, false)
+gen_tunable(httpd_can_connect_mythtv, false)
##
-##
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-##
+##
+## Allow http daemon to check spam
+##
##
-gen_tunable(httpd_dbus_avahi, false)
+gen_tunable(httpd_can_check_spam, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
+## Allow http daemon to send mail
+##
##
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_can_sendmail, false)
##
-##
-## Determine whether httpd can act as a
-## FTP server by listening on the ftp port.
-##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
##
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_dbus_avahi, false)
##
-##
-## Determine whether httpd can traverse
-## user home directories.
-##
+##
+## Allow httpd cgi support
+##
##
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_enable_cgi, false)
##
-##
-## Determine whether httpd gpg can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+##
##
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_enable_ftp_server, false)
##
-##
-## Determine whether httpd can execute
-## its temporary content.
-##
+##
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-##
+##
+## Allow httpd to connect to the ldap port
+##
##
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_can_connect_ldap, false)
##
-##
-## Determine whether httpd can connect
-## to port 80 for graceful shutdown.
-##
+##
+## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_enable_homedirs, false)
##
-##
-## Determine whether httpd can
-## manage IPA content files.
-##
+##
+## Allow httpd to read user content
+##
##
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_read_user_content, false)
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
+## Allow Apache to run in stickshift mode, not transition to passenger
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_run_stickshift, false)
##
-##
-## Determine whether httpd can read
-## generic user home content files.
-##
+##
+## Allow Apache to query NS records
+##
##
-gen_tunable(httpd_read_user_content, false)
+gen_tunable(httpd_verify_dns, false)
##
-##
-## Determine whether httpd can change
-## its resource limits.
-##
+##
+## Allow httpd daemon to change its resource limits
+##
##
gen_tunable(httpd_setrlimit, false)
##
-##
-## Determine whether httpd can run
-## SSI executables in the same domain
-## as system CGI scripts.
-##
+##
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
gen_tunable(httpd_ssi_exec, false)
##
-##
-## Determine whether httpd can communicate
-## with the terminal. Needed for entering the
-## passphrase for certificates at the terminal.
-##
+##
+## Allow Apache to execute tmp content.
+##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
+##
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+##
##
gen_tunable(httpd_tty_comm, false)
##
-##
-## Determine whether httpd can have full access
-## to its content types.
-##
+##
+## Unify HTTPD handling of all content files.
+##
##
gen_tunable(httpd_unified, false)
##
-##
-## Determine whether httpd can use
-## cifs file systems.
-##
+##
+## Allow httpd to access openstack ports
+##
+##
+gen_tunable(httpd_use_openstack, false)
+
+##
+##
+## Allow httpd to access cifs file systems
+##
##
gen_tunable(httpd_use_cifs, false)
##
##
-## Determine whether httpd can
-## use fuse file systems.
+## Allow httpd to access FUSE file systems
##
##
gen_tunable(httpd_use_fusefs, false)
##
-##
-## Determine whether httpd can use gpg.
-##
+##
+## Allow httpd to run gpg
+##
##
gen_tunable(httpd_use_gpg, false)
##
-##
-## Determine whether httpd can use
-## nfs file systems.
-##
+##
+## Allow httpd to connect to sasl
+##
+##
+gen_tunable(httpd_use_sasl, false)
+
+##
+##
+## Allow httpd to access nfs file systems
+##
##
gen_tunable(httpd_use_nfs, false)
+##
+##
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
-# domains that can exec all scripts
+# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_type;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
-# all script domains
+# user script domains
attribute httpd_script_domains;
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
type httpd_t;
type httpd_exec_t;
+ifdef(`distro_redhat',`
+ typealias httpd_t alias phpfpm_t;
+ typealias httpd_exec_t alias phpfpm_exec_t;
+')
init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)
+# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
type httpd_log_t;
+ifdef(`distro_redhat',`
+ typealias httpd_log_t alias phpfpm_log_t;
+')
logging_log_file(httpd_log_t)
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
+# setup the system domain for system CGI scripts
apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -326,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
+typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
+ifdef(`distro_redhat',`
+ typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
files_pid_file(httpd_var_run_t)
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
########################################
#
-# Local policy
+# Apache server local policy
#
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+can_exec(httpd_t, httpd_exec_t)
+
allow httpd_t httpd_keytab_t:file read_file_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,6 +499,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
@@ -420,6 +509,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -450,140 +543,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
-corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+ corenet_tcp_connect_http_port(httpd_t)
+')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
-domain_use_interactive_fds(httpd_t)
-
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
files_read_var_lib_symlinks(httpd_t)
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
+ifdef(`hide_broken_symptoms',`
+ libs_exec_lib_files(httpd_t)
+')
+
logging_send_syslog_msg(httpd_t)
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
-ifdef(`TODO',`
- tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
- logging_send_audit_msgs(httpd_t)
- ')
+tunable_policy(`httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
')
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
- corenet_sendrecv_all_client_packets(httpd_t)
corenet_tcp_connect_all_ports(httpd_t)
- corenet_tcp_sendrecv_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_t)
corenet_tcp_connect_gds_db_port(httpd_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_t)
- corenet_sendrecv_mssql_client_packets(httpd_t)
corenet_tcp_connect_mssql_port(httpd_t)
- corenet_tcp_sendrecv_mssql_port(httpd_t)
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
')
tunable_policy(`httpd_can_network_relay',`
- corenet_sendrecv_gopher_client_packets(httpd_t)
+ # allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_sendrecv_gopher_port(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
- corenet_tcp_sendrecv_http_cache_port(httpd_t)
- corenet_sendrecv_squid_client_packets(httpd_t)
corenet_tcp_connect_squid_port(httpd_t)
- corenet_tcp_sendrecv_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
- allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +714,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+ corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
tunable_policy(`httpd_enable_ftp_server',`
- corenet_sendrecv_ftp_server_packets(httpd_t)
corenet_tcp_bind_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +766,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
+
+tunable_policy(`httpd_use_nfs',`
+ automount_search_tmp_dirs(httpd_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_t)
+ # allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
- corenet_tcp_sendrecv_smtp_port(httpd_t)
- corenet_sendrecv_pop_client_packets(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
corenet_tcp_connect_pop_port(httpd_t)
- corenet_tcp_sendrecv_pop_port(httpd_t)
-
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
mta_signal_system_mail(httpd_t)
+ postfix_rw_spool_maildrop_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
- ')
-')
-
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
-')
-
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+ fs_manage_fusefs_dirs(httpd_t)
+ fs_manage_fusefs_files(httpd_t)
+ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_setrlimit',`
@@ -695,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
')
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
- can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
+ abrt_domtrans_retrace_worker(httpd_t)
+ abrt_read_config(httpd_t)
')
optional_policy(`
@@ -748,14 +865,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
-optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
-')
-
-optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
-')
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
@@ -770,6 +879,23 @@ optional_policy(`
')
optional_policy(`
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
+')
+
+optional_policy(`
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
+')
+
+ optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -786,35 +912,48 @@ optional_policy(`
')
optional_policy(`
- kerberos_manage_host_rcache(httpd_t)
- kerberos_read_keytab(httpd_t)
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
- kerberos_use(httpd_t)
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
')
optional_policy(`
- ldap_stream_connect(httpd_t)
+ gssproxy_stream_connect(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ jetty_admin(httpd_t)
+')
+
+optional_policy(`
+ kerberos_manage_host_rcache(httpd_t)
+ kerberos_read_keytab(httpd_t)
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+ kerberos_use(httpd_t)
+')
+
+optional_policy(`
+ # needed by FreeIPA
+ ldap_stream_connect(httpd_t)
')
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
mailman_read_data_files(httpd_t)
+ # should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- memcached_stream_connect(httpd_t)
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_memcache',`
- memcached_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ memcached_stream_connect(httpd_t)
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -822,8 +961,18 @@ optional_policy(`
')
optional_policy(`
+ munin_read_config(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with mysql
mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_t)
+ ')
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +981,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -842,20 +992,39 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+ passenger_exec(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
+
+optional_policy(`
pcscd_read_pid_files(httpd_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_config_files(httpd_t)
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
+ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
+ pwauth_domtrans(httpd_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
@@ -863,19 +1032,35 @@ optional_policy(`
')
optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`
smokeping_read_lib_files(httpd_t)
+ smokeping_read_pid_files(httpd_t)
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
optional_policy(`
+ thin_stream_connect(httpd_t)
+')
+
+optional_policy(`
udev_read_db(httpd_t)
')
@@ -883,65 +1068,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_manage_lib_files(httpd_t)
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+ zoneminder_append_log(httpd_t)
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
+ zoneminder_stream_connect(httpd_t)
+ zoneminder_exec(httpd_t)
+')
+
########################################
#
-# Helper local policy
+# Apache helper local policy
#
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
-logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
+tunable_policy(`httpd_verify_dns',`
+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
+
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ passenger_manage_lib_files(httpd_t)
+ passenger_getattr_log_files(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_read_lib_files(httpd_t)
+ passenger_stream_connect(httpd_t)
+ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
#
-# Suexec local policy
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
+')
+
+########################################
+#
+# Apache suexec local policy
#
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
dev_read_urand(httpd_suexec_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
-miscfiles_read_localization(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
- allow httpd_suexec_t httpdcontent:file read_file_perms;
- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
')
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
- corenet_tcp_connect_smtp_port(httpd_suexec_t)
- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
- corenet_tcp_connect_pop_port(httpd_suexec_t)
- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
mta_send_mail(httpd_suexec_t)
- mta_signal_system_mail(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_read_cifs_files(httpd_suexec_t)
- fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_suexec_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_cifs_dirs(httpd_suexec_t)
- fs_manage_cifs_files(httpd_suexec_t)
- fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_fusefs_dirs(httpd_suexec_t)
- fs_manage_fusefs_files(httpd_suexec_t)
- fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+ mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
- mailman_domtrans_cgi(httpd_suexec_t)
+ mta_stub(httpd_suexec_t)
+
+ # apache should set close-on-exec
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
optional_policy(`
mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1327,106 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
########################################
#
-# Common script local policy
+# Apache system script local policy
#
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+allow httpd_sys_script_t self:process getsched;
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_inherit_append_all_logs(httpd_sys_script_t)
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
- can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_script_domains self:process { setsched signal_perms };
- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
- kernel_read_system_state(httpd_script_domains)
-
- fs_getattr_all_fs(httpd_script_domains)
-
- files_read_etc_runtime_files(httpd_script_domains)
- files_read_usr_files(httpd_script_domains)
-
- libs_read_lib_files(httpd_script_domains)
-
- miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
')
optional_policy(`
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
- nis_use_ypbind_uncond(httpd_script_domains)
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
')
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
- corenet_tcp_connect_gds_db_port(httpd_script_domains)
- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
- corenet_tcp_connect_mssql_port(httpd_script_domains)
- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
- mysql_read_config(httpd_script_domains)
- mysql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_script_domains)
- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
')
-optional_policy(`
- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
-')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
-optional_policy(`
- nscd_use(httpd_script_domains)
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_sys_script_t)
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
- allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_cifs_dirs(httpd_sys_script_t)
fs_manage_cifs_files(httpd_sys_script_t)
fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
')
tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
+ fs_manage_fusefs_symlinks(httpd_suexec_t)
+ fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- postgresql_unpriv_client(httpd_sys_script_t)
+ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
')
########################################
#
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
#
allow httpd_rotatelogs_t self:capability dac_override;
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-files_read_etc_files(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
-miscfiles_read_localization(httpd_rotatelogs_t)
########################################
#
@@ -1321,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
- apache_content_template(unconfined)
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
########################################
@@ -1330,49 +1525,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
- fs_read_cifs_symlinks(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
- fs_read_nfs_symlinks(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_user_script_t)
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
')
tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
')
-optional_policy(`
- postgresql_unpriv_client(httpd_user_script_t)
-')
-
########################################
#
-# Passwd local policy
+# httpd_passwd local policy
#
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1566,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
+
auth_use_nsswitch(httpd_passwd_t)
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
+
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+ nis_use_ypbind_uncond(httpd_script_type)
')
optional_policy(`
- apache_manage_sys_rw_content(httpd_gpg_t)
+ nscd_socket_use(httpd_script_type)
')
-optional_policy(`
- gpg_entry_type(httpd_gpg_t)
- gpg_exec(httpd_gpg_t)
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_content_type:dir search_dir_perms;
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..1c37fe1 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,10 +1,13 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0aba..b6afc90 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
##
+## Execute apcupsd server in the apcupsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apcupsd_systemctl',`
+ gen_require(`
+ type apcupsd_t;
+ type apcupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+##
+## Create configuration files in /var/lock
+## with a named file type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apcupsd_filetrans_named_content',`
+ gen_require(`
+ type apcupsd_lock_t;
+ ')
+
+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
+########################################
+##
## All of the rules required to
## administrate an apcupsd environment.
##
@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
+ allow $1 apcupsd_t:process signal_perms;
ps_process_pattern($1, apcupsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apcupsd_t:process ptrace;
+ ')
+
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
+
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4d..b4c43c7 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
-corenet_all_recvfrom_unlabeled(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
-files_read_etc_files(apcupsd_t)
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
term_use_unallocated_ttys(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
+auth_use_nsswitch(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+systemd_start_power_services(apcupsd_t)
+
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
@@ -112,7 +120,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
diff --git a/apm.fc b/apm.fc
index ce27d2f..d20377e 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
diff --git a/apm.if b/apm.if
index 1a7a97e..1d29dce 100644
--- a/apm.if
+++ b/apm.if
@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
########################################
##
+## Execute apmd server in the apmd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apmd_systemctl',`
+ gen_require(`
+ type apmd_t;
+ type apmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 apmd_unit_file_t:file read_file_perms;
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apmd_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an apm environment.
##
@@ -163,9 +186,13 @@ interface(`apm_admin',`
type apmd_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
+ allow $1 apmd_t:process { signal_perms };
ps_process_pattern($1, apmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apmd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, apmd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 7fd431b..e05b2d4 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
########################################
#
# Client local policy
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
#
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
dev_read_input(apmd_t)
dev_read_mouse(apmd_t)
@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
corecmd_exec_all_executables(apmd_t)
@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
-miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
modutils_domtrans_insmod(apmd_t)
modutils_read_module_config(apmd_t)
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
optional_policy(`
automount_domtrans(apmd_t)
@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(apmd_t)
+ shutdown_domtrans(apmd_t)
')
optional_policy(`
- shutdown_domtrans(apmd_t)
+ sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(apmd_t)
')
optional_policy(`
diff --git a/apt.if b/apt.if
index cde81d2..2fe0201 100644
--- a/apt.if
+++ b/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
')
diff --git a/apt.te b/apt.te
index efa8530..f928b63 100644
--- a/apt.te
+++ b/apt.te
@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
-miscfiles_read_localization(apt_t)
-
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
optional_policy(`
backup_manage_store_files(apt_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c..51c8cc0 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
########################################
##
+## Execute arpwatch server in the arpwatch domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`arpwatch_systemctl',`
+ gen_require(`
+ type arpwatch_t;
+ type arpwatch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, arpwatch_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an arpwatch environment.
##
@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_unit_file_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms };
+ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 arpwatch_t:process ptrace;
+ ')
+
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
+
+ arpwatch_systemctl($1)
+ admin_pattern($1, arpwatch_unit_file_t)
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
index 2d7bf34..2927585 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
########################################
#
# Local policy
@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
-kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
+# meminfo
kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
-files_read_usr_files(arpwatch_t)
files_search_var_lib(arpwatch_t)
auth_use_nsswitch(arpwatch_t)
logging_send_syslog_msg(arpwatch_t)
-miscfiles_read_localization(arpwatch_t)
-
userdom_dontaudit_search_user_home_dirs(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
index 2077053..198a02a 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms };
+ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 asterisk_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 7e41350..1076937 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
-corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-files_read_usr_files(asterisk_t)
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
@@ -150,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
-miscfiles_read_localization(asterisk_t)
-
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..4579cfe
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 0000000..316c324
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## policy for authconfig
+
+########################################
+##
+## Execute TEMPLATE in the authconfig domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`authconfig_domtrans',`
+ gen_require(`
+ type authconfig_t, authconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+##
+## Search authconfig lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_search_lib',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read authconfig lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_read_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+##
+## Manage authconfig lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_manage_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+##
+## Manage authconfig lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_manage_lib_dirs',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an authconfig environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_admin',`
+ gen_require(`
+ type authconfig_t;
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, authconfig_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, authconfig_var_lib_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 0000000..f2aa4e6
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,32 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
index 92adb37..0a2ffc6 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index f24e369..9bce868 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
##
##
#
-#
interface(`automount_signal',`
gen_require(`
type automount_t;
@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
########################################
##
+## Allow domain to search of automount temporary
+## directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`automount_search_tmp_dirs',`
+ gen_require(`
+ type automount_tmp_t;
+ ')
+
+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
+########################################
+##
## Do not audit attempts to get
## attributes of automount temporary
## directories.
@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
##
+## Execute automount server in the automount domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`automount_systemctl',`
+ gen_require(`
+ type automount_t;
+ type automount_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 automount_unit_file_t:file read_file_perms;
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, automount_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an automount environment.
##
@@ -153,12 +194,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
- type automount_keytab_t;
+ type automount_unit_file_t, automount_keytab_t;
')
- allow $1 automount_t:process { ptrace signal_perms };
+ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 automount_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
@@ -175,4 +220,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
+
+ automount_systemctl($1)
+ admin_pattern($1, automount_unit_file_t)
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
index 27d2f40..1268d7d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability2 block_suspend;
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_all_recvfrom_unlabeled(automount_t)
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
@@ -101,7 +104,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
@@ -135,15 +137,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
-miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
userdom_dontaudit_use_unpriv_user_fds(automount_t)
optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
@@ -166,3 +171,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
+
+tunable_policy(`mount_anyfile',`
+ files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2ca..4c2d076 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index 9078c3d..bca0ac9 100644
--- a/avahi.if
+++ b/avahi.if
@@ -211,6 +211,29 @@ interface(`avahi_dontaudit_search_pid',`
########################################
##
+## Execute avahi server in the avahi domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`avahi_systemctl',`
+ gen_require(`
+ type avahi_t;
+ type avahi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, avahi_t)
+')
+
+########################################
+##
## Create specified objects in generic
## pid directories with the avahi pid file type.
##
@@ -258,12 +281,17 @@ interface(`avahi_filetrans_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ type avahi_unit_file_t;
type avahi_var_lib_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
@@ -274,4 +302,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
+
+ avahi_systemctl($1)
+ admin_pattern($1, avahi_unit_file_t)
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
index b8355b3..844e45b 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
########################################
#
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-corenet_all_recvfrom_unlabeled(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
auth_use_nsswitch(avahi_t)
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
-miscfiles_read_localization(avahi_t)
miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
sysnet_etc_filetrans_config(avahi_t)
+systemd_login_signull(avahi_t)
+
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
diff --git a/awstats.te b/awstats.te
index c1b16c3..c222135 100644
--- a/awstats.te
+++ b/awstats.te
@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
fs_list_inotifyfs(awstats_t)
@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
-miscfiles_read_localization(awstats_t)
-
sysnet_dns_name_resolve(awstats_t)
tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +86,13 @@ optional_policy(`
# CGI local policy
#
+apache_read_log(httpd_awstats_script_t)
+
+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
+
allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
files_search_var_lib(httpd_awstats_script_t)
-
-apache_read_log(httpd_awstats_script_t)
diff --git a/backup.te b/backup.te
index 7811450..d8a8bd6 100644
--- a/backup.te
+++ b/backup.te
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
-corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.te b/bacula.te
index f16b000..ed47057 100644
--- a/bacula.te
+++ b/bacula.te
@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
-files_read_etc_files(bacula_admin_t)
-miscfiles_read_localization(bacula_admin_t)
sysnet_dns_name_resolve(bacula_admin_t)
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e35..8af0e14 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d36..7132e1e 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
########################################
##
+## Execute bcfg2 server in the bcfg2 domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bcfg2_systemctl',`
+ gen_require(`
+ type bcfg2_t;
+ type bcfg2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bcfg2_t)
+')
+
+
+########################################
+##
## All of the rules required to
## administrate an bcfg2 environment.
##
@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
+ type bcfg2_unit_file_t;
')
- allow $1 bcfg2_t:process { ptrace signal_perms };
+ allow $1 bcfg2_t:process { signal_perms };
ps_process_pattern($1, bcfg2_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bcfg2_t:process ptrace;
+ ')
+
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
+
+ bcfg2_systemctl($1)
+ admin_pattern($1, bcfg2_unit_file_t)
+ allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
index c3fd7b1..e189593 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
type bcfg2_var_lib_t;
files_type(bcfg2_var_lib_t)
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
type bcfg2_var_run_t;
files_pid_file(bcfg2_var_run_t)
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
domain_use_interactive_fds(bcfg2_t)
-files_read_usr_files(bcfg2_t)
auth_use_nsswitch(bcfg2_t)
logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a1..1742ebf 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,71 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+')
-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/proc(/.*)? <>
-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 531a8f2..0df9341 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
########################################
##
+## Execute bind server in the bind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bind_systemctl',`
+ gen_require(`
+ type named_unit_file_t;
+ type named_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+##
## Execute ndc in the ndc domain.
##
##
@@ -169,6 +192,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
+ allow $1 named_conf_t:dir list_dir_perms;
read_files_pattern($1, named_conf_t, named_conf_t)
')
@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
########################################
##
+## Create, read, write, and delete
+## BIND configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_manage_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+##
## Search bind cache directories.
##
##
@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
########################################
##
+## Read BIND zone files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+##
## Create, read, write, and delete
## bind zone files.
##
@@ -364,11 +428,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
- type named_keytab_t;
+ type named_keytab_t, named_unit_file_t;
')
- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { named_t ndc_t })
+ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
+ ')
+
+ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
@@ -384,11 +454,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
+ admin_pattern($1, named_keytab_t)
+
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
files_list_pids($1)
admin_pattern($1, named_var_run_t)
- bind_run_ndc($1, $2)
+ admin_pattern($1, named_unit_file_t)
+ bind_systemctl($1)
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
index 1241123..ad2dccc 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
type named_keytab_t;
files_type(named_keytab_t)
@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
# Local policy
#
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
allow named_t named_keytab_t:file read_file_perms;
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -115,7 +117,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
-corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
domain_use_interactive_fds(named_t)
@@ -175,6 +177,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
+ # needed by FreeIPA with DNS support
+ dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+ cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
@@ -215,7 +226,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -229,10 +241,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
-kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
-corenet_all_recvfrom_unlabeled(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -257,7 +268,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
userdom_use_user_terminals(ndc_t)
diff --git a/bird.te b/bird.te
index 1d60c27..f8bb700 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
corenet_tcp_sendrecv_bgp_port(bird_t)
# /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
logging_send_syslog_msg(bird_t)
diff --git a/bitlbee.if b/bitlbee.if
index e73fb79..2badfc0 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
type bitlbee_log_t, bitlbee_tmp_t;
')
- allow $1 bitlbee_t:process { ptrace signal_perms };
+ allow $1 bitlbee_t:process signal_perms;
ps_process_pattern($1, bitlbee_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bitlbee_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index f5c1a48..49eff68 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
allow bitlbee_t self:process { setsched signal };
+
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
-files_read_usr_files(bitlbee_t)
-
libs_legacy_use_shared_libs(bitlbee_t)
auth_use_nsswitch(bitlbee_t)
logging_send_syslog_msg(bitlbee_t)
-miscfiles_read_localization(bitlbee_t)
-
optional_policy(`
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
diff --git a/blueman.fc b/blueman.fc
index c295d2e..4f84e9c 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec525..1dd4059 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
allow $1 blueman_t:dbus send_msg;
allow blueman_t $1:dbus send_msg;
+ ps_process_pattern(blueman_t, $1)
')
########################################
diff --git a/blueman.te b/blueman.te
index 3a5032e..2097425 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
type blueman_t;
type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
type blueman_var_lib_t;
files_type(blueman_var_lib_t)
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
#
allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-kernel_read_net_sysctls(blueman_t)
+kernel_rw_net_sysctls(blueman_t)
kernel_read_system_state(blueman_t)
kernel_request_load_module(blueman_t)
@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
auth_use_nsswitch(blueman_t)
logging_send_syslog_msg(blueman_t)
-miscfiles_read_localization(blueman_t)
-
sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
optional_policy(`
avahi_domtrans(blueman_t)
')
optional_policy(`
+ bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+ dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
+optional_policy(`
dnsmasq_domtrans(blueman_t)
dnsmasq_read_pid_files(blueman_t)
')
optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
+optional_policy(`
iptables_domtrans(blueman_t)
')
+
+optional_policy(`
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f3..0086b95 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,14 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0a..3e8a553 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ allow $2 bluetooth_helper_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 bluetooth_helper_t:process ptrace;
+ ')
allow $2 bluetooth_t:socket rw_socket_perms;
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ bluetooth_stream_connect($2)
stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
- files_search_pids($2)
')
#####################################
@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
########################################
##
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
##
+## Execute bluetooth server in the bluetooth domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bluetooth_systemctl',`
+ gen_require(`
+ type bluetooth_t;
+ type bluetooth_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bluetooth_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an bluetooth environment.
##
@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
- type bluetooth_initrc_exec_t;
+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
+ allow $1 bluetooth_t:process signal_perms;
ps_process_pattern($1, bluetooth_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bluetooth_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
+
+ bluetooth_systemctl($1)
+ admin_pattern($1, bluetooth_unit_file_t)
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
index 851769e..055c97c 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
########################################
#
# Local policy
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
kernel_request_load_module(bluetooth_t)
kernel_search_debugfs(bluetooth_t)
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
-miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
@@ -130,6 +142,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
@@ -200,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad..bda740a 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaa..fbcef10 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,165 @@
-## Platform for computing using volunteered resources.
+## policy for boinc
########################################
##
-## All of the rules required to
-## administrate an boinc environment.
+## Execute a domain transition to run boinc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+##
+## Dontaudit getattr on boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_dontaudit_getattr_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+##
+## Search boinc lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Manage boinc var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_systemctl',`
+ gen_require(`
+ type boinc_t;
+ type boinc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, boinc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an boinc environment.
##
##
##
@@ -19,26 +175,32 @@
#
interface(`boinc_admin',`
gen_require(`
-
- type boinc_t, boinc_project_t, boinc_log_t;
- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
- type boinc_project_var_lib_t, boinc_project_tmp_t;
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ type boinc_unit_file_t;
')
- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { boinc_t boinc_project_t })
+ allow $1 boinc_t:process signal_perms;
+ ps_process_pattern($1, boinc_t)
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 boinc_t:process ptrace;
+ ')
+
+ boinc_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_logs($1)
- admin_pattern($1, boinc_log_t)
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+ boinc_systemctl($1)
+ admin_pattern($1, boinc_unit_file_t)
- files_search_var_lib($1)
- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+ allow $1 boinc_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/boinc.te b/boinc.te
index 687d4c4..28c35c1 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
##
gen_tunable(boinc_execmem, true)
-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
type boinc_log_t;
logging_log_file(boinc_log_t)
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
type boinc_project_t;
domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
role system_r types boinc_project_t;
type boinc_project_tmp_t;
files_tmp_file(boinc_project_tmp_t)
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+ allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
+
########################################
#
-# Local policy
+# boinc local policy
#
allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
+# needs read /proc/interrupts
kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
corenet_all_recvfrom_netlabel(boinc_t)
corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
@@ -137,8 +151,7 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+xserver_stream_connect(boinc_t)
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
@@ -148,48 +161,61 @@ optional_policy(`
mta_send_mail(boinc_t)
')
-optional_policy(`
- sysnet_dns_name_resolve(boinc_t)
-')
-
########################################
#
-# Project local policy
+# boinc-projects local policy
#
allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+ allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
files_dontaudit_search_home(boinc_project_t)
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+ gnome_read_gconf_config(boinc_project_t)
+')
+
optional_policy(`
java_exec(boinc_project_t)
')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
index c5a9113..6ad8ccb 100644
--- a/brctl.te
+++ b/brctl.te
@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
-files_read_etc_files(brctl_t)
term_dontaudit_use_console(brctl_t)
-miscfiles_read_localization(brctl_t)
-
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6e..fb6e397 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262..bf0cefa 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
interface(`bugzilla_admin',`
gen_require(`
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
ps_process_pattern($1, httpd_bugzilla_script_t)
- files_search_usr($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_bugzilla_script_t:process ptrace;
+ ')
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_list_var_lib(httpd_bugzilla_script_t)
+
admin_pattern($1, httpd_bugzilla_script_exec_t)
admin_pattern($1, httpd_bugzilla_script_t)
admin_pattern($1, httpd_bugzilla_content_t)
@@ -76,5 +78,7 @@ interface(`bugzilla_admin',`
files_search_var_lib($1)
admin_pattern($1, httpd_bugzilla_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
index 18623e3..d9f3061 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0)
apache_content_template(bugzilla)
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
########################################
#
# Local policy
@@ -14,7 +17,6 @@ apache_content_template(bugzilla)
allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
files_search_var_lib(httpd_bugzilla_script_t)
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+auth_read_passwd(httpd_bugzilla_script_t)
+
+dev_read_sysfs(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
+miscfiles_read_certs(httpd_bugzilla_script_t)
+
optional_policy(`
mta_send_mail(httpd_bugzilla_script_t)
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 0000000..b5ee23b
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 0000000..23a4f86
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,126 @@
+## policy for bumblebee
+
+########################################
+##
+## Execute bumblebee in the bumblebee domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bumblebee_domtrans',`
+ gen_require(`
+ type bumblebee_t, bumblebee_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+##
+## Read bumblebee PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bumblebee_read_pid_files',`
+ gen_require(`
+ type bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+##
+## Execute bumblebee server in the bumblebee domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bumblebee_systemctl',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+##
+## Connect to bumblebee over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bumblebee_stream_connect',`
+ gen_require(`
+ type bumblebee_t, bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an bumblebee environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`bumblebee_admin',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_var_run_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ allow $1 bumblebee_t:process { signal_perms };
+ ps_process_pattern($1, bumblebee_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bumblebee_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, bumblebee_var_run_t)
+
+ bumblebee_systemctl($1)
+ admin_pattern($1, bumblebee_unit_file_t)
+ allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 0000000..8c82398
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,44 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_read_passwd(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9..3b41945 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## CacheFiles user-space management daemon.
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## policy for cachefilesd
########################################
##
-## All of the rules required to
-## administrate an cachefilesd environment.
+## Execute a domain transition to run cachefilesd.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
gen_require(`
- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
- type cachefilesd_var_run_t;
+ type cachefilesd_t, cachefilesd_exec_t;
')
- allow $1 cachefilesd_t:process { ptrace signal_perms };
- ps_process_pattern($1, cachefilesd_t)
-
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var($1)
- admin_pattern($1, cachefilesd_cache_t)
-
- files_search_pids($1)
- admin_pattern($1, cachefilesd_var_run_t)
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
index a3760bc..a570048 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,124 @@
policy_module(cachefilesd, 1.1.0)
-########################################
+###############################################################################
#
# Declarations
#
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
type cachefilesd_t;
type cachefilesd_exec_t;
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
-########################################
#
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-miscfiles_read_localization(cachefilesd_t)
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-optional_policy(`
- rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.te b/calamaris.te
index 7e57460..b0cf254 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
dev_read_urand(calamaris_t)
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
files_read_etc_runtime_files(calamaris_t)
-libs_read_lib_files(calamaris_t)
-
auth_use_nsswitch(calamaris_t)
logging_send_syslog_msg(calamaris_t)
-miscfiles_read_localization(calamaris_t)
-
userdom_dontaudit_list_user_home_dirs(calamaris_t)
optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 0e5be4c..b9a407f 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
auth_use_nsswitch(callweaver_t)
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07..f416e22 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
type canna_var_run_t, canna_initrc_exec_t;
')
- allow $1 canna_t:process { ptrace signal_perms };
+ allow $1 canna_t:process signal_perms;
ps_process_pattern($1, canna_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 canna_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, canna_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 9fe6162..2245f3b 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_all_recvfrom_unlabeled(canna_t)
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_generic_if(canna_t)
corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
domain_use_interactive_fds(canna_t)
-files_read_etc_files(canna_t)
files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
logging_send_syslog_msg(canna_t)
-miscfiles_read_localization(canna_t)
-
sysnet_read_config(canna_t)
userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d..cb94e5e 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
+ type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t;
')
- allow $1 ccs_t:process { ptrace signal_perms };
+ allow $1 ccs_t:process { signal_perms };
ps_process_pattern($1, ccs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ccs_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, ccs_conf_t)
+ admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index 658134d..58deece 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { accept connectto listen };
allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_all_recvfrom_unlabeled(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_generic_if(ccs_t)
corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
dev_read_urand(ccs_t)
-files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
logging_send_syslog_msg(ccs_t)
-miscfiles_read_localization(ccs_t)
-
sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- aisexec_stream_connect(ccs_t)
- corosync_stream_connect(ccs_t)
+ rhcs_stream_connect_cluster(ccs_t)
')
optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f6..4de4a00 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
- allow $2 cdrecord_t:process { ptrace signal_perms };
+ allow $2 cdrecord_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 cdrecord_t:process ptrace;
+ ')
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
index 16883c9..0f4ccb0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
domain_use_interactive_fds(cdrecord_t)
-files_read_etc_files(cdrecord_t)
-
term_use_controlling_term(cdrecord_t)
term_list_ptys(cdrecord_t)
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
logging_send_syslog_msg(cdrecord_t)
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt(cdrecord_t)
- fs_read_nfs_files(cdrecord_t)
- fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
optional_policy(`
resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b18..ef29f6e 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
- type certmaster_etc_rw_t, certmaster_var_log_t;
- type certmaster_initrc_exec_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
- allow $1 certmaster_t:process { ptrace signal_perms };
+ allow $1 certmaster_t:process signal_perms;
ps_process_pattern($1, certmaster_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmaster_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index 4a87873..113f3b3 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
auth_use_nsswitch(certmaster_t)
-miscfiles_read_localization(certmaster_t)
miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8..cd8eb4d 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -2,6 +2,8 @@
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
/var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef..144c074 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
')
ps_process_pattern($1, certmonger_t)
- allow $1 certmonger_t:process { ptrace signal_perms };
+ allow $1 certmonger_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmonger_t:process ptrace;
+ ')
certmonger_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 550b287..6e8a513 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
########################################
#
# Local policy
@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
+
allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
kernel_read_kernel_sysctls(certmonger_t)
kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
corecmd_exec_bin(certmonger_t)
corecmd_exec_shell(certmonger_t)
+dev_read_rand(certmonger_t)
dev_read_urand(certmonger_t)
domain_use_interactive_fds(certmonger_t)
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
miscfiles_manage_generic_cert_files(certmonger_t)
+systemd_exec_systemctl(certmonger_t)
+
userdom_search_user_home_content(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
apache_search_config(certmonger_t)
apache_signal(certmonger_t)
apache_signull(certmonger_t)
+ apache_systemctl(certmonger_t)
')
optional_policy(`
@@ -92,11 +104,47 @@ optional_policy(`
')
optional_policy(`
- kerberos_read_keytab(certmonger_t)
+ dirsrv_manage_config(certmonger_t)
+ dirsrv_signal(certmonger_t)
+ dirsrv_signull(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
optional_policy(`
pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
+ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type certmonger_unconfined_t;
+ domain_type(certmonger_unconfined_t)
+
+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+ role system_r types certmonger_unconfined_t;
+
+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+ init_domtrans_script(certmonger_unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(certmonger_unconfined_t)
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
index 171fafb..e88a026 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
dev_read_urand(certwatch_t)
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
+ apache_domtrans(certwatch_t)
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
optional_policy(`
+ mta_send_mail(certwatch_t)
+')
+
+optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
- type cfengine_log_t, cfengine_var_lib_t;
')
########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
# Policy
#
+ kernel_read_system_state(cfengine_$1_t)
+
auth_use_nsswitch(cfengine_$1_t)
+
+ logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+##
+## Search cfengine lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_search_lib_files',`
+ gen_require(`
+ type cfengine_var_lib_t;
+ ')
+
+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
')
########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
dontaudit $1 cfengine_var_log_t:file write_file_perms;
')
+#####################################
+##
+## Allow the specified domain to append cfengine's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_append_inherited_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ cfengine_search_lib_files($1)
+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+##
+## Dontaudit the specified domain to write cfengine's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_dontaudit_write_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ dontaudit $1 cfengine_var_log_t:file write;
+')
+
########################################
##
## All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
- allow $1 cfengine_domain:process { ptrace signal_perms };
+ allow $1 cfengine_domain:process { signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')
+
diff --git a/cfengine.te b/cfengine.te
index fbe3ad9..ffde263 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
-kernel_read_system_state(cfengine_domain)
-
corecmd_exec_bin(cfengine_domain)
corecmd_exec_shell(cfengine_domain)
dev_read_urand(cfengine_domain)
dev_read_sysfs(cfengine_domain)
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
sysnet_domtrans_ifconfig(cfengine_domain)
########################################
diff --git a/cgroup.if b/cgroup.if
index 85ca63f..1d1c99c 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
type cgrules_etc_t, cgclear_t;
')
- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+ allow $1 cgclear_t:process signal_perms;
+ ps_process_pattern($1, cgclear_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgclear_t:process ptrace;
+ ')
+
+ allow $1 cgconfig_t:process signal_perms;
+ ps_process_pattern($1, cgconfig_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgconfig_t:process ptrace;
+ ')
+
+ allow $1 cgred_t:process signal_perms;
+ ps_process_pattern($1, cgred_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgred_t:process ptrace;
+ ')
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index 80a88a2..1a33de9 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
kernel_read_system_state(cgclear_t)
+auth_use_nsswitch(cgclear_t)
+
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
-files_read_etc_files(cgconfig_t)
-
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
+auth_use_nsswitch(cgconfig_t)
+
########################################
#
# cgred local policy
#
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 0000000..57866f6
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,9 @@
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 0000000..5977d96
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,134 @@
+
+## policy for chrome
+
+########################################
+##
+## Execute a domain transition to run chrome_sandbox.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+
+ allow $1 chrome_sandbox_t:fd use;
+
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
+')
+
+
+########################################
+##
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the chrome_sandbox domain.
+##
+##
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+ role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+##
+## Role access for chrome sandbox
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`chrome_role_notrans',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+ role $1 types chrome_sandbox_nacl_t;
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+##
+## Role access for chrome sandbox
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`chrome_role',`
+ chrome_role_notrans($1, $2)
+ chrome_domtrans_sandbox($2)
+')
+
+########################################
+##
+## Dontaudit read/write to a chrome_sandbox leaks
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 0000000..748f5d5
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,247 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+
+')
+
+optional_policy(`
+ mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
+ fs_exec_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_files(chrome_sandbox_t)
+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_exec_cifs_files(chrome_sandbox_t)
+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(chrome_sandbox_t)
+ fs_read_fusefs_files(chrome_sandbox_t)
+ fs_exec_fusefs_files(chrome_sandbox_t)
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(chrome_sandbox_t)
+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+ bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
+
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143e..a665b32 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265..0de4af3 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
########################################
##
-## Connect to chronyd using a unix
-## domain stream socket.
+## Read chronyd keys files.
##
##
##
@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
##
##
#
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',`
gen_require(`
- type chronyd_t, chronyd_var_run_t;
+ type chronyd_keys_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
########################################
##
-## Send to chronyd using a unix domain
-## datagram socket.
+## Append chronyd keys files.
##
##
##
@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
##
##
#
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+##
+## Execute chronyd server in the chronyd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
+ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+##
+## Connect to chronyd using a unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_stream_connect',`
gen_require(`
type chronyd_t, chronyd_var_run_t;
')
files_search_pids($1)
- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
########################################
##
-## Read chronyd key files.
+## Send to chronyd using a unix domain
+## datagram socket.
##
##
##
@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
##
##
#
-interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',`
gen_require(`
- type chronyd_keys_t;
+ type chronyd_t, chronyd_var_run_t;
')
- files_search_etc($1)
- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
####################################
@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t, chronyd_unit_file_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
+ allow $1 chronyd_t:process signal_perms;
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 chronyd_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
+
+ admin_pattern($1, chronyd_tmpfs_t)
+
+ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
index e5b621c..2ec82ae 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+
dev_rw_realtime_clock(chronyd_t)
auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
-
-optional_policy(`
- mta_send_mail(chronyd_t)
-')
diff --git a/cipe.te b/cipe.te
index a0aa693..af571ed 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_all_recvfrom_unlabeled(ciped_t)
corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
domain_use_interactive_fds(ciped_t)
-files_read_etc_files(ciped_t)
files_read_etc_runtime_files(ciped_t)
files_dontaudit_search_var(ciped_t)
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
logging_send_syslog_msg(ciped_t)
-miscfiles_read_localization(ciped_t)
-
sysnet_read_config(ciped_t)
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc..c53b80d 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/clamav.if b/clamav.if
index 4cc4a5c..99c5cca 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## ClamAV Virus Scanner.
+## ClamAV Virus Scanner
########################################
##
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
type clamd_t, clamd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamd_exec_t, clamd_t)
')
########################################
##
-## Connect to clamd using a unix
-## domain stream socket.
+## Connect to run clamd.
##
##
##
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
########################################
##
-## Append clamav log files.
+## Allow the specified domain to append
+## to clamav log files.
##
##
##
@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
########################################
##
-## Create, read, write, and delete
-## clamav pid content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`clamav_manage_pid_content',`
- gen_require(`
- type clamd_var_run_t;
- ')
-
- files_search_pids($1)
- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
-########################################
-##
## Read clamav configuration files.
##
##
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
########################################
##
-## Search clamav library directories.
+## Search clamav libraries directories.
##
##
##
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
type clamscan_t, clamscan_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
########################################
##
-## Execute clamscan in the caller domain.
+## Execute clamscan without a transition.
##
##
##
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
type clamscan_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, clamscan_exec_t)
')
-#######################################
+########################################
##
-## Read clamd process state files.
+## Manage clamd pid content.
##
##
##
@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
##
##
#
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
gen_require(`
- type clamd_t;
+ type clamd_var_run_t;
')
- kernel_search_proc($1)
- allow $1 clamd_t:dir list_dir_perms;
- read_files_pattern($1, clamd_t, clamd_t)
- read_lnk_files_pattern($1, clamd_t, clamd_t)
+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+##
+## Read clamd state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_read_state_clamd',`
+ gen_require(`
+ type clamd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+##
+## Execute clamd server in the clamd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`clamd_systemctl',`
+ gen_require(`
+ type clamd_t;
+ type clamd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 clamd_unit_file_t:file read_file_perms;
+ allow $1 clamd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, clamd_t)
')
########################################
##
-## All of the rules required to
-## administrate an clamav environment.
+## All of the rules required to administrate
+## an clamav environment
##
##
##
@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the clamav domain.
##
##
##
@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
+ type clamd_unit_file_t;
')
- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+ allow $1 clamd_t:process signal_perms;
+ ps_process_pattern($1, clamd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 clamd_t:process ptrace;
+ allow $1 clamscan_t:process ptrace;
+ allow $1 freshclam_t:process ptrace;
+ ')
+
+ allow $1 clamscan_t:process signal_perms;
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process signal_perms;
+ ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
+ clamd_systemctl($1)
+ admin_pattern($1, clamd_unit_file_t)
+ allow $1 clamd_unit_file_t:service all_service_perms;
+
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
@@ -217,11 +251,21 @@ interface(`clamav_admin',`
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+ admin_pattern($1, clamd_var_log_t)
files_list_pids($1)
admin_pattern($1, clamd_var_run_t)
files_list_tmp($1)
- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+ admin_pattern($1, clamd_tmp_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
')
diff --git a/clamav.te b/clamav.te
index ce3836a..94aa8a6 100644
--- a/clamav.te
+++ b/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
corecmd_exec_shell(clamd_t)
-corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
corenet_sendrecv_generic_client_packets(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
- allow clamd_t self:process execmem;
-',`
- dontaudit clamd_t self:process execmem;
-')
-
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
amavis_create_pid_files(clamd_t)
')
@@ -165,6 +161,31 @@ optional_policy(`
mta_send_mail(clamd_t)
')
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
+',`
+ dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(freshclam_t)
+')
+
########################################
#
# Freshclam local policy
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
logging_send_syslog_msg(freshclam_t)
-miscfiles_read_localization(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
@@ -241,6 +261,10 @@ optional_policy(`
')
optional_policy(`
+ clamd_systemctl(freshclam_t)
+')
+
+optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)
-corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corecmd_read_all_executables(clamscan_t)
-files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
-miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)
sysnet_dns_name_resolve(clamscan_t)
@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
')
optional_policy(`
- amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff --git a/clockspeed.te b/clockspeed.te
index d3e2a67..f5b330c 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
-miscfiles_read_localization(clockspeed_srv_t)
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 4a5b3d1..cd146bd 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
-miscfiles_read_localization(clogd_t)
-
optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
+ rhcs_stream_connect_cluster(clogd_t)
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..3a0de96
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,27 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 0000000..8ac848b
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,42 @@
+## cloudform policy
+
+#######################################
+##
+## Creates types and rules for a basic
+## cloudform daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`cloudform_domain_template',`
+ gen_require(`
+ attribute cloudform_domain;
+ ')
+
+ type $1_t, cloudform_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+')
+
+######################################
+##
+## Execute mongod in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_exec_mongod',`
+ gen_require(`
+ type mongod_exec_t;
+ ')
+
+ can_exec($1, mongod_exec_t)
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000..786d623
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,299 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type mongod_initrc_exec_t;
+init_script_file(mongod_initrc_exec_t)
+
+type mongod_log_t;
+logging_log_file(mongod_log_t)
+
+type mongod_var_lib_t;
+files_type(mongod_var_lib_t)
+
+type mongod_tmp_t;
+files_tmp_file(mongod_tmp_t)
+
+type mongod_var_run_t;
+files_pid_file(mongod_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+ mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ # it check file context and run restorecon
+ seutil_read_file_contexts(cloud_init_t)
+ seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cloud_init_t)
+ ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cloud_init_t)
+ sysnet_read_dhcpc_state(cloud_init_t)
+ sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+ rpm_domtrans(cloud_init_t)
+ rpm_transition_script(cloud_init_t)
+ unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_override setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+ sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
+########################################
+#
+# mongod local policy
+#
+
+allow mongod_t self:process { execmem setsched signal };
+
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+#needed by dbomatic
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
+
+corenet_tcp_bind_generic_node(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_connect_postgresql_port(mongod_t)
+
+kernel_read_vm_sysctls(mongod_t)
+kernel_read_system_state(mongod_t)
+
+fs_getattr_all_fs(mongod_t)
+
+optional_policy(`
+ mysql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
+')
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb..f348d27 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
type cmirrord_t, cmirrord_tmpfs_t;
')
- allow $1 cmirrord_t:shm rw_shm_perms;
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
- allow $1 cmirrord_t:process { ptrace signal_perms };
+ allow $1 cmirrord_t:process signal_perms;
ps_process_pattern($1, cmirrord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cmirrord_t:process ptrace;
+ ')
+
cmirrord_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index bbdd396..fddf8f4 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
logging_send_syslog_msg(cmirrord_t)
-miscfiles_read_localization(cmirrord_t)
-
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
+
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208..2b650a7 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,6 +4,7 @@
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f81..8b567c1 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
+
+
+########################################
+##
+## Read cobbler configuration dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+')
+
+
########################################
##
## Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
-
- apache_search_sys_content($1)
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
index 5f306dd..9a5087b 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
corenet_tcp_connect_http_port(cobblerd_t)
corenet_sendrecv_http_client_packets(cobblerd_t)
+dev_read_sysfs(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
term_use_console(cobblerd_t)
+auth_use_nsswitch(cobblerd_t)
+
logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
')
optional_policy(`
+ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
@@ -188,17 +191,25 @@ optional_policy(`
')
optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(cobblerd_t)
+')
+
+optional_policy(`
rpm_exec(cobblerd_t)
')
optional_policy(`
+ rsync_exec(cobblerd_t)
rsync_read_config(cobblerd_t)
- rsync_manage_config_files(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
')
optional_policy(`
- tftp_manage_config_files(cobblerd_t)
- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+ tftp_manage_config(cobblerd_t)
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..2e7d7ed 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e..f4db2ca 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,144 @@
########################################
##
-## All of the rules required to
-## administrate an collectd environment.
+## Transition to collectd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`collectd_domtrans',`
+ gen_require(`
+ type collectd_t, collectd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+##
+## Execute collectd server in the collectd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_initrc_domtrans',`
+ gen_require(`
+ type collectd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+##
+## Search collectd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_search_lib',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read collectd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_read_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Manage collectd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_manage_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Manage collectd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_manage_lib_dirs',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Execute collectd server in the collectd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`collectd_systemctl',`
+ gen_require(`
+ type collectd_t;
+ type collectd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 collectd_unit_file_t:file read_file_perms;
+ allow $1 collectd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, collectd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an collectd environment
##
##
##
@@ -20,13 +156,17 @@
interface(`collectd_admin',`
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
- type collectd_var_lib_t;
+ type collectd_var_lib_t, collectd_unit_file_t;
')
- allow $1 collectd_t:process { ptrace signal_perms };
+ allow $1 collectd_t:process signal_perms;
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 collectd_t:process ptrace;
+ ')
+
+ collectd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +176,9 @@ interface(`collectd_admin',`
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
+
+ collectd_systemctl($1)
+ admin_pattern($1, collectd_unit_file_t)
+ allow $1 collectd_unit_file_t:service all_service_perms;
')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8..dc0423c 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
apache_content_template(collectd)
+type httpd_collectd_script_tmp_t;
+files_tmp_file(httpd_collectd_script_tmp_t)
+
########################################
#
# Local policy
@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
+
+auth_getattr_passwd(collectd_t)
+auth_read_passwd(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
logging_send_syslog_msg(collectd_t)
@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
+ netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
virt_read_config(collectd_t)
')
########################################
#
-# Web local policy
+# Web collectd local policy
#
-optional_policy(`
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(httpd_collectd_script_t)
+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+
+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
+
+auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 71639eb..08ab891 100644
--- a/colord.fc
+++ b/colord.fc
@@ -7,5 +7,7 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37..825f537 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## GNOME color manager.
+## GNOME color manager
########################################
##
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
type colord_t, colord_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, colord_exec_t, colord_t)
')
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
allow $1 colord_t:dbus send_msg;
allow colord_t $1:dbus send_msg;
+ ps_process_pattern(colord_t, $1)
')
######################################
@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+########################################
+##
+## Execute colord server in the colord domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`colord_systemctl',`
+ gen_require(`
+ type colord_t;
+ type colord_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 colord_unit_file_t:file read_file_perms;
+ allow $1 colord_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 9f2dfb2..5425ddf 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
########################################
#
# Local policy
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
allow colord_t self:capability { dac_read_search dac_override };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
+
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
dev_rw_generic_usb_dev(colord_t)
domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
@@ -100,19 +106,16 @@ init_read_state(colord_t)
auth_use_nsswitch(colord_t)
+init_read_state(colord_t)
+
logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
+systemd_read_logind_sessions_files(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmpfs_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
optional_policy(`
cups_read_config(colord_t)
@@ -120,6 +123,13 @@ optional_policy(`
cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
+ cups_read_state(colord_t)
+')
+
+optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
+ # Fixes lots of breakage in F16 on upgrade
+ gnome_read_generic_data_home_files(colord_t)
')
optional_policy(`
@@ -137,3 +147,16 @@ optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
+ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+ # allow to read /run/initial-setup-$username
+ xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index c63cf85..dc6998b 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
dev_read_urand(comsat_t)
fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
logging_send_syslog_msg(comsat_t)
-miscfiles_read_localization(comsat_t)
-
userdom_dontaudit_getattr_user_ttys(comsat_t)
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index ad2b696..28d1af0 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,6 +1,7 @@
/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
index 881d92f..eb35613 100644
--- a/condor.if
+++ b/condor.if
@@ -1,75 +1,390 @@
-## High-Throughput Computing System.
+
+## policy for condor
+
+#####################################
+##
+## Creates types and rules for a basic
+## condor init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`condor_domain_template',`
+ gen_require(`
+ type condor_master_t;
+ attribute condor_domain;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type condor_$1_t, condor_domain;
+ type condor_$1_exec_t;
+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+ role system_r types condor_$1_t;
+
+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+ allow condor_master_t condor_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(condor_$1_t)
+
+ corenet_all_recvfrom_netlabel(condor_$1_t)
+ corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+ auth_use_nsswitch(condor_$1_t)
+
+ logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+##
+## Transition to condor.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`condor_domtrans',`
+ gen_require(`
+ type condor_t, condor_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, condor_exec_t, condor_t)
+')
+
+#######################################
+##
+## Allows to start userland processes
+## by transitioning to the specified domain,
+## with a range transition.
+##
+##
+##
+## The process type entered by condor_startd.
+##
+##
+##
+##
+## The executable type for the entrypoint.
+##
+##
+##
+##
+## Range for the domain.
+##
+##
+#
+interface(`condor_startd_ranged_domtrans_to',`
+ gen_require(`
+ type sshd_t;
+ ')
+ condor_startd_domtrans_to($1, $2)
+
+
+ ifdef(`enable_mcs',`
+ range_transition condor_startd_t $2:process $3;
+ ')
+
+')
#######################################
##
-## The template to define a condor domain.
+## Allows to start userlandprocesses
+## by transitioning to the specified domain.
##
-##
+##
+##
+## The process type entered by condor_startd.
+##
+##
+##
+##
+## The executable type for the entrypoint.
+##
+##
+#
+interface(`condor_startd_domtrans_to',`
+ gen_require(`
+ type condor_startd_t;
+ ')
+
+ domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+##
+## Read condor's log files.
+##
+##
##
-## Domain prefix to be used.
+## Domain allowed access.
##
##
+##
#
-template(`condor_domain_template',`
+interface(`condor_read_log',`
gen_require(`
- attribute condor_domain;
- type condor_master_t;
+ type condor_log_t;
')
- #############################
- #
- # Declarations
- #
+ logging_search_logs($1)
+ read_files_pattern($1, condor_log_t, condor_log_t)
+')
- type condor_$1_t, condor_domain;
- type condor_$1_exec_t;
- domain_type(condor_$1_t)
- domain_entry_file(condor_$1_t, condor_$1_exec_t)
- role system_r types condor_$1_t;
+########################################
+##
+## Append to condor log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_append_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- #############################
- #
- # Policy
- #
+ logging_search_logs($1)
+ append_files_pattern($1, condor_log_t, condor_log_t)
+')
- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
- allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+##
+## Manage condor log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- auth_use_nsswitch(condor_$1_t)
+ logging_search_logs($1)
+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
+ manage_files_pattern($1, condor_log_t, condor_log_t)
+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
')
########################################
##
-## All of the rules required to
-## administrate an condor environment.
+## Search condor lib directories.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`condor_search_lib',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ allow $1 condor_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read condor lib files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
gen_require(`
- attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+ type condor_var_lib_t;
')
- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+##
+## Read and write condor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Manage condor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Manage condor lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_lib_dirs',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Read condor PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_read_pid_files',`
+ gen_require(`
+ type condor_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute condor server in the condor domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`condor_systemctl',`
+ gen_require(`
+ type condor_t;
+ type condor_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, condor_t)
+')
+
+#######################################
+##
+## Read and write condor_startd server TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_tcp_sockets_startd',`
+ gen_require(`
+ type condor_startd_t;
+ ')
+
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+##
+## Read and write condor_schedd server TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+ gen_require(`
+ type condor_schedd_t;
+ ')
+
+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an condor environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_admin',`
+ gen_require(`
+ attribute condor_domain;
+ type condor_initrc_exec_t, condor_log_t, condor_conf_t;
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t;
+ type condor_unit_file_t;
+ ')
+
+ allow $1 condor_domain:process { signal_perms };
ps_process_pattern($1, condor_domain)
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 condor_initrc_exec_t system_r;
+ allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
@@ -77,8 +392,8 @@ interface(`condor_admin',`
logging_search_logs($1)
admin_pattern($1, condor_log_t)
- files_search_locks($1)
- admin_pattern($1, condor_var_lock_t)
+ files_search_locks($1)
+ admin_pattern($1, condor_var_lock_t)
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
@@ -88,4 +403,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+ condor_systemctl($1)
+ admin_pattern($1, condor_unit_file_t)
+ allow $1 condor_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/condor.te b/condor.te
index ce9f040..32ebb0c 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
-type condor_conf_t;
+type condor_conf_t alias condor_etc_rw_t;
files_config_file(condor_conf_t)
type condor_log_t;
@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
@@ -60,10 +63,18 @@ condor_domain_template(startd)
# Global local policy
#
+allow condor_domain self:capability dac_override;
+allow condor_domain self:capability2 block_suspend;
+
allow condor_domain self:process signal_perms;
allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
sysnet_dns_name_resolve(condor_domain)
@@ -130,7 +139,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { setuid setgid sys_ptrace };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
+logging_send_syslog_msg(condor_master_t)
+
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
+corenet_tcp_bind_http_port(condor_collector_t)
+
#####################################
#
# Negotiator local policy
@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
######################################
#
# Procd local policy
@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+allow condor_schedd_t condor_master_tmp_t:dir getattr;
+
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
#####################################
#
# Startd local policy
@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
libs_exec_lib_files(condor_startd_t)
-files_read_usr_files(condor_startd_t)
-
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
@@ -254,3 +276,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
+
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 0000000..5f97ba9
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
+
+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000..54b4b04
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,142 @@
+## Conman is a program for connecting to remote consoles being managed by conmand
+
+########################################
+##
+## Execute conman in the conman domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`conman_domtrans',`
+ gen_require(`
+ type conman_t, conman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+##
+## Read conman's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_read_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Append to conman log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_append_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Manage conman log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_manage_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, conman_log_t, conman_log_t)
+ manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Execute conman server in the conman domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`conman_systemctl',`
+ gen_require(`
+ type conman_t;
+ type conman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 conman_unit_file_t:file read_file_perms;
+ allow $1 conman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an conman environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`conman_admin',`
+ gen_require(`
+ type conman_t;
+ type conman_log_t;
+ type conman_unit_file_t;
+ ')
+
+ allow $1 conman_t:process { signal_perms };
+ ps_process_pattern($1, conman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 conman_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, conman_log_t)
+
+ conman_systemctl($1)
+ admin_pattern($1, conman_unit_file_t)
+ allow $1 conman_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 0000000..0de2d4d
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,45 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { listen create_socket_perms };
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+auth_read_passwd(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..0647a3b 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
########################################
##
+## dontaudit Send and receive messages from
+## consolekit over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## consolekit over dbus.
##
@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
########################################
##
+## Dontaudit attempts to read consolekit log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+##
## Read consolekit log files.
##
##
@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+##
+## List consolekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+##
+## Allow the domain to read consolekit state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_read_state',`
+ gen_require(`
+ type consolekit_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+##
+## Execute consolekit server in the consolekit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`consolekit_systemctl',`
+ gen_require(`
+ type consolekit_t;
+ type consolekit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 consolekit_unit_file_t:file read_file_perms;
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index bd18063..926e314 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
########################################
#
# Local policy
#
allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
-files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
-mcs_ptrace_all(consolekit_t)
-
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)
auth_create_pam_console_data_dirs(consolekit_t)
-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+
+init_read_utmp(consolekit_t)
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
+userdom_read_all_users_state(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
+optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
')
optional_policy(`
@@ -109,13 +112,6 @@ optional_policy(`
')
')
-optional_policy(`
- hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
- networkmanager_append_log_files(consolekit_t)
-')
optional_policy(`
policykit_domtrans_auth(consolekit_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0f..6a96733 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/corosync.if b/corosync.if
index 694a037..b836c07 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
')
+#######################################
+##
+## Setattr corosync log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_setattr_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
#####################################
##
## Connect to corosync over a unix
@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
+ type corosync_var_lib_t;
')
files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
######################################
##
-## Read and write corosync tmpfs files.
+## Allow the specified domain to read/write corosync's tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_rw_tmpfs',`
+ gen_require(`
+ type corosync_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+##
+## Execute corosync server in the corosync domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
gen_require(`
- type corosync_tmpfs_t;
+ type corosync_t;
+ type corosync_unit_file_t;
')
- fs_search_tmpfs($1)
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+ systemd_exec_systemctl($1)
+ allow $1 corosync_unit_file_t:file read_file_perms;
+ allow $1 corosync_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, corosync_t)
')
######################################
@@ -160,12 +204,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
+ type corosync_unit_file_t;
')
- allow $1 corosync_t:process { ptrace signal_perms };
+ allow $1 corosync_t:process signal_perms;
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 corosync_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
@@ -183,4 +232,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
+
+ corosync_systemctl($1)
+ admin_pattern($1, corosync_unit_file_t)
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
index d5aa1e4..e827567 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
########################################
#
# Local policy
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
optional_policy(`
ccs_read_config(corosync_t)
@@ -129,20 +137,29 @@ optional_policy(`
')
optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
qpidd_rw_shm(corosync_t)
')
optional_policy(`
- rhcs_getattr_fenced_exec_files(corosync_t)
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
rhcs_rw_cluster_shm(corosync_t)
rhcs_rw_cluster_semaphores(corosync_t)
rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+ rhcs_manage_cluster_lib_files(corosync_t)
+ rhcs_relabel_cluster_lib_files(corosync_t)
')
optional_policy(`
- rgmanager_manage_tmpfs_files(corosync_t)
+ rpc_search_nfs_state_data(corosync_t)
')
optional_policy(`
- rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+ wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c086302..4f33119 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,3 +1,6 @@
+
+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
index 715a826..afa2f78 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
########################################
##
-## Read couchdb log files.
+## Allow to read couchdb log files.
##
##
##
@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
type couchdb_log_t;
')
- logging_search_logs($1)
+ files_search_var_lib($1)
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
')
########################################
##
-## Read, write, and create couchdb lib files.
+## Allow to read couchdb lib files.
##
##
##
@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
##
##
#
-interface(`couchdb_manage_lib_files',`
+interface(`couchdb_read_lib_files',`
gen_require(`
type couchdb_var_lib_t;
')
@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
########################################
##
-## Read couchdb config files.
+## All of the rules required to
+## administrate an couchdb environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
+## Manage couchdb lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_lib_dirs',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
+## Allow to read couchdb conf files.
##
##
##
@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
type couchdb_conf_t;
')
- files_search_etc($1)
+ files_search_var_lib($1)
read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
')
########################################
##
-## Read couchdb pid files.
+## Read couchdb PID files.
##
##
##
@@ -73,19 +112,63 @@ interface(`couchdb_read_pid_files',`
')
files_search_pids($1)
- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Search couchdb PID dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_search_pid_dirs',`
+ gen_require(`
+ type couchdb_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
')
########################################
##
-## All of the rules required to
-## administrate an couchdb environment.
+## Execute couchdb server in the couchdb domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
+#
+interface(`couchdb_systemctl',`
+ gen_require(`
+ type couchdb_t;
+ type couchdb_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an couchdb environment
+##
+##
+##
+## Domain allowed access.
+##
+##
##
##
## Role allowed access.
@@ -95,14 +178,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
+ type couchdb_unit_file_t;
type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
type couchdb_tmp_t;
')
- allow $1 couchdb_t:process { ptrace signal_perms };
+ allow $1 couchdb_t:process { signal_perms };
ps_process_pattern($1, couchdb_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 couchdb_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
@@ -122,4 +210,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
+
+ admin_pattern($1, couchdb_unit_file_t)
+ couchdb_systemctl($1)
+ allow $1 couchdb_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/couchdb.te b/couchdb.te
index ae1c1b1..89e5702 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
########################################
#
# Local policy
@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
-files_read_usr_files(couchdb_t)
-
fs_getattr_xattr_fs(couchdb_t)
auth_use_nsswitch(couchdb_t)
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 2f017a0..defdc87 100644
--- a/courier.fc
+++ b/courier.fc
@@ -11,17 +11,18 @@
/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820f..acdb179 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## Courier IMAP and POP3 email servers.
+## Courier IMAP and POP3 email servers
-#######################################
+########################################
##
-## The template to define a courier domain.
+## Template for creating courier server processes.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix name of the server process.
##
##
#
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
attribute courier_domain;
')
- ########################################
+ ##############################
#
# Declarations
#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
- ########################################
+ ##############################
#
- # Policy
+ # Declarations
#
can_exec(courier_$1_t, courier_$1_exec_t)
+
+ kernel_read_system_state(courier_$1_t)
+
+ corenet_all_recvfrom_netlabel(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
+ corenet_udp_sendrecv_generic_node(courier_$1_t)
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+ logging_send_syslog_msg(courier_$1_t)
')
########################################
##
-## Execute the courier authentication
-## daemon with a domain transition.
+## Execute the courier authentication daemon with
+## a domain transition.
##
##
##
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
#######################################
##
-## Connect to courier-authdaemon over
-## a unix stream socket.
+## Connect to courier-authdaemon over a unix stream socket.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`courier_stream_connect_authdaemon',`
- gen_require(`
- type courier_authdaemon_t, courier_spool_t;
- ')
+ gen_require(`
+ type courier_authdaemon_t, courier_spool_t;
+ ')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
')
########################################
##
-## Execute the courier POP3 and IMAP
-## server with a domain transition.
+## Execute the courier POP3 and IMAP server with
+## a domain transition.
##
##
##
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
type courier_pop_t, courier_pop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')
########################################
##
-## Read courier config files.
+## Read courier config files
##
##
##
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
##
-##
+##
##
## Domain allowed access.
##
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')
########################################
##
-## Read and write courier spool pipes.
+## Read and write to courier spool pipes.
##
##
##
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
type courier_spool_t;
')
- files_search_var($1)
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
index ae3bc70..9090d75 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
files_config_file(courier_etc_t)
type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
type courier_var_lib_t;
files_type(courier_var_lib_t)
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
files_pid_filetrans(courier_domain, courier_var_run_t, dir)
kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
corecmd_exec_bin(courier_domain)
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
domain_use_interactive_fds(courier_domain)
-files_read_etc_files(courier_domain)
files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
fs_getattr_xattr_fs(courier_domain)
fs_search_auto_mountpoints(courier_domain)
-logging_send_syslog_msg(courier_domain)
-
sysnet_read_config(courier_domain)
userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -77,6 +72,10 @@ optional_policy(`
')
optional_policy(`
+ mysql_stream_connect(courier_domain)
+')
+
+optional_policy(`
udev_read_db(courier_domain)
')
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
-miscfiles_read_localization(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
-miscfiles_read_localization(courier_tcpd_t)
########################################
#
diff --git a/cpucontrol.te b/cpucontrol.te
index af72c4e..afab036 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
init_use_fds(cpucontrol_domain)
init_use_script_ptys(cpucontrol_domain)
-logging_send_syslog_msg(cpucontrol_domain)
-
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
-kernel_list_proc(cpucontrol_t)
kernel_read_proc_symlinks(cpucontrol_t)
dev_read_sysfs(cpucontrol_t)
dev_rw_cpu_microcode(cpucontrol_t)
+logging_send_syslog_msg(cpucontrol_t)
+
optional_policy(`
rhgb_use_ptys(cpucontrol_t)
')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
domain_read_all_domains_state(cpuspeed_t)
-files_read_etc_files(cpuspeed_t)
files_read_etc_runtime_files(cpuspeed_t)
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index 6cedb87..530e250 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
# Local policy
#
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
kernel_read_system_state(cpufreqselector_t)
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
dev_rw_sysfs(cpufreqselector_t)
-miscfiles_read_localization(cpufreqselector_t)
-
userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
index ad0bae9..615a947 100644
--- a/cron.fc
+++ b/cron.fc
@@ -1,66 +1,77 @@
-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]* -- <>
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <>
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.* <>
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.* <>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+')
ifdef(`distro_debian',`
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <>
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
')
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
index 1303b30..72481a7 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
#######################################
##
-## The template to define a crontab domain.
+## The common rules for a crontab domain.
##
-##
+##
##
-## Domain prefix to be used.
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
##
##
#
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ kernel_read_system_state($1_t)
+
auth_domtrans_chk_passwd($1_t)
auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ userdom_home_reader($1_t)
+
')
########################################
##
-## Role access for cron.
+## Role access for cron
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
##
@@ -60,56 +68,66 @@ interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t, crond_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
role $1 types { cronjob_t crontab_t };
- ##############################
- #
- # Local policy
- #
+ ##############################
+ #
+ # Local policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
- allow $2 crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
+ allow $2 crontab_t:process signal_perms;
ps_process_pattern($2, crontab_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 crontab_t:process ptrace;
+ ')
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 cronjob_t:process { signal_perms };
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
+ dontaudit $2 cronjob_t:process { signal_perms };
+ ')
optional_policy(`
gen_require(`
@@ -119,78 +137,87 @@ interface(`cron_role',`
dbus_stub(cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
##
-## Role access for unconfined cron.
+## Role access for unconfined cronjobs
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`cron_unconfined_role',`
gen_require(`
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ type crond_t, user_cron_spool_t;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $1 types { unconfined_cronjob_t crontab_t };
- role $1 types { unconfined_cronjob_t crontab_t };
+ ##############################
+ #
+ # Local policy
+ #
- ##############################
- #
- # Local policy
- #
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
+ allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process { signal_perms };
+ ps_process_pattern($2, crontab_t)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 crontab_t:process ptrace;
+ ')
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+ allow $2 unconfined_cronjob_t:process signal_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
+ ')
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, unconfined_cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ ')
optional_policy(`
gen_require(`
@@ -198,55 +225,60 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
-
allow unconfined_cronjob_t $2:dbus send_msg;
')
')
########################################
##
-## Role access for admin cron.
+## Role access for cron
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`cron_admin_role',`
gen_require(`
- type cronjob_t, crontab_exec_t, admin_crontab_t;
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ type user_cron_spool_t, crond_t;
class passwd crontab;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ ##############################
+ #
+ # Declarations
+ #
- role $1 types { cronjob_t admin_crontab_t };
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
- ##############################
- #
- # Local policy
- #
+ ##############################
+ #
+ # Local policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 crond_t:process sigchld;
- allow $2 admin_crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 admin_crontab_t:process ptrace;
+ ')
# Manipulate other users crontab.
allow $2 self:passwd crontab;
@@ -254,28 +286,26 @@ interface(`cron_admin_role',`
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ allow $2 cronjob_t:process { signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2 cronjob_t:process { signal_perms };
+ ')
optional_policy(`
gen_require(`
@@ -285,13 +315,13 @@ interface(`cron_admin_role',`
dbus_stub(admin_cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
##
-## Make the specified program domain
-## accessable from the system cron jobs.
+## Make the specified program domain accessable
+## from the system cron jobs.
##
##
##
@@ -307,15 +337,15 @@ interface(`cron_admin_role',`
interface(`cron_system_entry',`
gen_require(`
type crond_t, system_cronjob_t;
- type user_cron_spool_log_t;
')
- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
+
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -333,13 +363,12 @@ interface(`cron_domtrans',`
type system_cronjob_t, crond_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')
########################################
##
-## Execute crond in the caller domain.
+## Execute crond_exec_t
##
##
##
@@ -352,7 +381,6 @@ interface(`cron_exec',`
type crond_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, crond_exec_t)
')
@@ -376,7 +404,31 @@ interface(`cron_initrc_domtrans',`
########################################
##
-## Use crond file descriptors.
+## Execute crond server in the crond domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cron_systemctl',`
+ gen_require(`
+ type crond_unit_file_t;
+ type crond_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
+
+########################################
+##
+## Inherit and use a file descriptor
+## from the cron daemon.
##
##
##
@@ -394,7 +446,7 @@ interface(`cron_use_fds',`
########################################
##
-## Send child terminated signals to crond.
+## Send a SIGCHLD signal to the cron daemon.
##
##
##
@@ -412,7 +464,7 @@ interface(`cron_sigchld',`
########################################
##
-## Set the attributes of cron log files.
+## Send a generic signal to cron daemon.
##
##
##
@@ -420,17 +472,17 @@ interface(`cron_sigchld',`
##
##
#
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file setattr_file_perms;
+ allow $1 crond_t:process signal;
')
########################################
##
-## Create cron log files.
+## Read a cron daemon unnamed pipe.
##
##
##
@@ -438,17 +490,17 @@ interface(`cron_setattr_log_files',`
##
##
#
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- create_files_pattern($1, cron_log_t, cron_log_t)
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
')
########################################
##
-## Write to cron log files.
+## Read crond state files.
##
##
##
@@ -456,18 +508,20 @@ interface(`cron_create_log_files',`
##
##
#
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file write_file_perms;
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
')
+
########################################
##
-## Create, read, write and delete
-## cron log files.
+## Send and receive messages from
+## crond over dbus.
##
##
##
@@ -475,48 +529,37 @@ interface(`cron_write_log_files',`
##
##
#
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
+ class dbus send_msg;
')
- manage_files_pattern($1, cron_log_t, cron_log_t)
-
- logging_search_logs($1)
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
')
########################################
##
-## Create specified objects in generic
-## log directories with the cron log file type.
+## Do not audit attempts to write cron daemon unnamed pipes.
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- logging_log_filetrans($1, cron_log_t, $2, $3)
+ dontaudit $1 crond_t:fifo_file write;
')
########################################
##
-## Read cron daemon unnamed pipes.
+## Read and write a cron daemon unnamed pipe.
##
##
##
@@ -524,36 +567,35 @@ interface(`cron_generic_log_filetrans_log',`
##
##
#
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
gen_require(`
type crond_t;
')
- allow $1 crond_t:fifo_file read_fifo_file_perms;
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Do not audit attempts to write
-## cron daemon unnamed pipes.
+## Read and write inherited user spool files.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
gen_require(`
- type crond_t;
+ type user_cron_spool_t;
')
- dontaudit $1 crond_t:fifo_file write;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
########################################
##
-## Read and write crond unnamed pipes.
+## Read and write inherited spool files.
##
##
##
@@ -561,17 +603,17 @@ interface(`cron_dontaudit_write_pipes',`
##
##
#
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_spool_files',`
gen_require(`
- type crond_t;
+ type cron_spool_t;
')
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
########################################
##
-## Read and write crond TCP sockets.
+## Read, and write cron daemon TCP sockets.
##
##
##
@@ -589,8 +631,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
##
-## Do not audit attempts to read and
-## write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
@@ -608,7 +649,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
##
-## Search cron spool directories.
+## Search the directory containing user cron tables.
##
##
##
@@ -627,8 +668,26 @@ interface(`cron_search_spool',`
########################################
##
-## Create, read, write, and delete
-## crond pid files.
+## Search the directory containing user cron tables.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+##
+## Manage pid files used by cron
##
##
##
@@ -641,13 +700,13 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
+ files_search_pids($1)
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
########################################
##
-## Execute anacron in the cron
-## system domain.
+## Execute anacron in the cron system domain.
##
##
##
@@ -660,13 +719,13 @@ interface(`cron_anacron_domtrans_system_job',`
type system_cronjob_t, anacron_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
')
########################################
##
-## Use system cron job file descriptors.
+## Inherit and use a file descriptor
+## from system cron jobs.
##
##
##
@@ -684,7 +743,7 @@ interface(`cron_use_system_job_fds',`
########################################
##
-## Read system cron job lib files.
+## Write a system cron job unnamed pipe.
##
##
##
@@ -692,19 +751,17 @@ interface(`cron_use_system_job_fds',`
##
##
#
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_write_system_job_pipes',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ allow $1 system_cronjob_t:fifo_file write;
')
########################################
##
-## Create, read, write, and delete
-## system cron job lib files.
+## Read and write a system cron job unnamed pipe.
##
##
##
@@ -712,18 +769,17 @@ interface(`cron_read_system_job_lib_files',`
##
##
#
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_rw_system_job_pipes',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t;
')
- files_search_var_lib($1)
- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Write system cron job unnamed pipes.
+## Allow read/write unix stream sockets from the system cron jobs.
##
##
##
@@ -731,18 +787,17 @@ interface(`cron_manage_system_job_lib_files',`
##
##
#
-interface(`cron_write_system_job_pipes',`
+interface(`cron_rw_system_job_stream_sockets',`
gen_require(`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:file write;
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
')
########################################
##
-## Read and write system cron job
-## unnamed pipes.
+## Read temporary files from the system cron jobs.
##
##
##
@@ -750,86 +805,142 @@ interface(`cron_write_system_job_pipes',`
##
##
#
-interface(`cron_rw_system_job_pipes',`
+interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
##
-## Read and write inherited system cron
-## job unix domain stream sockets.
+## Do not audit attempts to append temporary
+## files from the system cron jobs.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`cron_rw_system_job_stream_sockets',`
+interface(`cron_dontaudit_append_system_job_tmp_files',`
gen_require(`
- type system_cronjob_t;
+ type system_cronjob_tmp_t;
')
- allow $1 system_cronjob_t:unix_stream_socket { read write };
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
')
########################################
##
-## Read system cron job temporary files.
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`cron_read_system_job_tmp_files',`
+interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
')
- files_search_tmp($1)
- allow $1 system_cronjob_tmp_t:file read_file_perms;
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
')
########################################
##
-## Do not audit attempts to append temporary
-## system cron job files.
+## Read temporary files from the system cron jobs.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`cron_dontaudit_append_system_job_tmp_files',`
+interface(`cron_read_system_job_lib_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_var_lib_t;
')
- dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
########################################
##
-## Do not audit attempts to write temporary
-## system cron job files.
+## Manage files from the system cron jobs.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`cron_dontaudit_write_system_job_tmp_files',`
+interface(`cron_manage_system_job_lib_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_var_lib_t;
')
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+##
+## Create, read, write and delete
+## cron log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ manage_files_pattern($1, cron_log_t, cron_log_t)
+
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Create specified objects in generic
+## log directories with the cron log file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
index 7de3859..c4abac0 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
##
##
-## Determine whether system cron jobs
-## can relabel filesystem for
-## restoring file contexts.
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
##
##
gen_tunable(cron_can_relabel, false)
##
-##
-## Determine whether crond can execute jobs
-## in the user domain as opposed to the
-## the generic cronjob domain.
-##
+##
+## Determine whether crond can execute jobs
+## in the user domain as opposed to the
+## the generic cronjob domain.
+##
##
gen_tunable(cron_userdomain_transition, false)
##
##
-## Determine whether extra rules
-## should be enabled to support fcron.
+## Enable extra rules in the cron domain
+## to support fcron.
##
##
gen_tunable(fcron_crond, false)
-attribute cron_spool_type;
attribute crontab_domain;
+attribute cron_spool_type;
type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
+# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
files_pid_file(cron_var_run_t)
+# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
-
+# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
mta_system_content(user_cron_spool_t)
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
- dontaudit crontab_domain crond_t:process signal;
-')
-
########################################
#
-# Admin local policy
+# Admin crontab local policy
#
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
')
########################################
#
-# Daemon local policy
+# Cron daemon local policy
#
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
domain_subj_id_change_exemption(crond_t)
domain_role_change_exemption(crond_t)
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
mls_file_read_all_levels(crond_t)
mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
-miscfiles_read_localization(crond_t)
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t cronjob_t:process transition;
- dontaudit crond_t cronjob_t:fd use;
- dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
- allow crond_t cronjob_t:process transition;
- allow crond_t cronjob_t:fd use;
- allow crond_t cronjob_t:key manage_key_perms;
-')
+mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
+ # pam_limits is used
allow crond_t self:process setrlimit;
- optional_policy(`
- logwatch_search_cache_dir(crond_t)
- ')
+')
+
+optional_policy(`
+ logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+ bind_read_config(crond_t)
')
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(crond_t)
')
')
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
files_polyinstantiate_all(crond_t)
')
-tunable_policy(`fcron_crond',`
- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
@@ -354,103 +302,135 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client(crond_t)
-
- optional_policy(`
- hal_dbus_chat(crond_t)
- ')
-
- optional_policy(`
- unconfined_dbus_send(crond_t)
- ')
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
- amanda_search_var_lib(crond_t)
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
')
optional_policy(`
- amavis_search_lib(crond_t)
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+ init_dbus_chat(crond_t)
')
optional_policy(`
- djbdns_search_tinydns_keys(crond_t)
- djbdns_link_tinydns_keys(crond_t)
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
- hal_write_log(crond_t)
+ antivirus_search_db(crond_t)
')
optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
- mta_send_mail(crond_t)
+ # cjp: why?
+ munin_search_lib(crond_t)
')
optional_policy(`
- munin_search_lib(crond_t)
+ rpc_search_nfs_state_data(crond_t)
')
optional_policy(`
- postgresql_search_db(crond_t)
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
')
optional_policy(`
- rpc_search_nfs_state_data(crond_t)
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
')
optional_policy(`
- rpm_read_pipes(crond_t)
+ systemd_use_fds_logind(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
')
optional_policy(`
- seutil_sigchld_newrole(crond_t)
+ udev_read_db(crond_t)
')
optional_policy(`
- udev_read_db(crond_t)
+ vnstatd_search_lib(crond_t)
')
########################################
#
-# System local policy
+# System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+# Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+# This is to handle /var/lib/misc directory. Used currently
+# by prelink var/lib files for cron
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
+# for nscd:
files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
-init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
-miscfiles_read_localization(system_cronjob_t)
-
seutil_read_config(system_cronjob_t)
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
')
')
+selinux_get_fs_mount(system_cronjob_t)
+
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_cronjob_t)
',`
- selinux_get_fs_mount(system_cronjob_t)
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
@@ -539,10 +531,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ # Needed for certwatch
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+ bind_read_config(system_cronjob_t)
')
optional_policy(`
@@ -551,10 +550,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
-
- optional_policy(`
- networkmanager_dbus_chat(system_cronjob_t)
- ')
')
optional_policy(`
@@ -591,6 +586,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -598,7 +594,19 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
@@ -608,6 +616,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -615,12 +624,24 @@ optional_policy(`
')
optional_policy(`
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
+ userdom_filetrans_home_content(crond_t)
')
########################################
#
-# Cronjob local policy
+# User cronjobs local policy
#
allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +649,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
-corenet_all_recvfrom_unlabeled(cronjob_t)
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +682,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
dev_read_urand(cronjob_t)
fs_getattr_all_fs(cronjob_t)
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(cronjob_t)
domain_dontaudit_getattr_all_domains(cronjob_t)
files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
files_dontaudit_search_pids(cronjob_t)
libs_exec_lib_files(cronjob_t)
libs_exec_ld_so(cronjob_t)
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
-miscfiles_read_localization(cronjob_t)
userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
userdom_manage_user_home_content_files(cronjob_t)
userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit cronjob_t crond_t:fd use;
- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- dontaudit cronjob_t crond_t:process sigchld;
-
- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
- allow cronjob_t crond_t:fd use;
- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
- allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
')
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
optional_policy(`
nis_use_ypbind(cronjob_t)
')
+##############################
+#
+# crontab common policy
+#
+
+# dac_override is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+ ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+ openshift_transition(system_cronjob_t)
+')
+
########################################
#
-# Unconfined local policy
+# Unconfined cronjobs local policy
#
type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6..507804b 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -2,6 +2,8 @@
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d..e99c5c6 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,144 @@
-## Clustered Database based on Samba Trivial Database.
+
+## policy for ctdbd
+
+########################################
+##
+## Transition to ctdbd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_domtrans',`
+ gen_require(`
+ type ctdbd_t, ctdbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+##
+## Execute ctdbd server in the ctdbd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
+ type ctdbd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+########################################
+##
+## Read ctdbd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ctdbd_read_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Append to ctdbd log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_append_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
########################################
##
-## Create, read, write, and delete
-## ctdbd lib files.
+## Manage ctdbd log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ctdbd_manage_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Search ctdbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_search_lib',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read ctdbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Manage ctdbd lib files.
##
##
##
@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
-#######################################
+########################################
##
-## Connect to ctdbd with a unix
-## domain stream socket.
+## Manage ctdbd lib files.
##
##
##
@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',`
##
##
#
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_var_files',`
gen_require(`
- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ type ctdbd_var_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
+')
+
+########################################
+##
+## Manage ctdbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Read ctdbd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_pid_files',`
+ gen_require(`
+ type ctdbd_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Connect to ctdbd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_stream_connect',`
+ gen_require(`
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
')
########################################
##
-## All of the rules required to
-## administrate an ctdb environment.
+## All of the rules required to administrate
+## an ctdbd environment
##
##
##
@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',`
##
##
#
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
gen_require(`
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+ type ctdbd_t, ctdbd_initrc_exec_t;
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
- allow $1 ctdbd_t:process { ptrace signal_perms };
+ allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ctdbd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
@@ -74,12 +269,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
- files_search_tmp($1)
- admin_pattern($1, ctdbd_tmp_t)
-
files_search_var_lib($1)
admin_pattern($1, ctdbd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ctdbd_var_run_t)
')
+
diff --git a/ctdb.te b/ctdb.te
index 001b502..f3809a2 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
type ctdbd_var_lib_t;
files_type(ctdbd_var_lib_t)
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
#
allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+allow ctdbd_t self:capability2 block_suspend;
allow ctdbd_t self:process { setpgid signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
allow ctdbd_t self:packet_socket create_socket_perms;
allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
+
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
+fs_getattr_all_fs(ctdbd_t)
+
+auth_read_passwd(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
-miscfiles_read_localization(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
@@ -109,6 +123,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
+ samba_systemctl(ctdbd_t)
')
optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011e..afe482b 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,87 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 3023be7..20e370b 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
########################################
@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
########################################
##
+## Execute cupsd server in the cupsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cupsd_systemctl',`
+ gen_require(`
+ type cupsd_t;
+ type cupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cupsd_t)
+')
+
+########################################
+##
## Read the process state (/proc/pid) of cupsd.
##
##
@@ -344,18 +370,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
- type hplip_t, ptal_t;
+ type ptal_t;
+ type cupsd_unit_file_t;
')
- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+ ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -368,13 +399,44 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
- files_list_spool($1)
- admin_pattern($1, cupsd_spool_t)
-
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
-
- files_list_pids($1)
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+ cupsd_systemctl($1)
+ admin_pattern($1, cupsd_unit_file_t)
+ allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+##
+## Transition to cups named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_filetrans_named_content',`
+ gen_require(`
+ type cupsd_rw_etc_t;
+ type cupsd_etc_t;
+ ')
+
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
index c91813c..f31fa44 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
# Declarations
#
-type cupsd_config_t;
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
type cupsd_config_exec_t;
init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
type cupsd_config_var_run_t;
files_pid_file(cupsd_config_var_run_t)
-type cupsd_t;
+type cupsd_t, cups_domain;
type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
@@ -33,13 +38,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
logging_log_file(cupsd_log_t)
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
type cupsd_lpd_tmp_t;
files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
files_pid_file(cupsd_var_run_t)
init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
type ptal_t;
type ptal_exec_t;
@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+ lpd_manage_spool(cups_domain)
+')
+
########################################
#
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -136,22 +161,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
-allow cupsd_t hplip_t:process { signal sigkill };
-
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_request_load_module(cupsd_t)
-corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -186,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
@@ -203,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
@@ -212,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
files_dontaudit_getattr_all_tmp_files(cupsd_t)
files_dontaudit_list_home(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
-fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
@@ -232,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -244,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
@@ -272,6 +305,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
+ init_dbus_chat(cupsd_t)
+
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -282,8 +317,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -296,8 +333,8 @@ optional_policy(`
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
kerberos_manage_host_rcache(cupsd_t)
- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
optional_policy(`
@@ -306,7 +343,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
- lpd_manage_spool(cupsd_t)
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -334,7 +370,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+ vmware_read_system_config(cupsd_t)
')
########################################
@@ -342,12 +382,11 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -372,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
files_search_all_mountpoints(cupsd_config_t)
-fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -449,9 +473,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -487,10 +514,6 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +531,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +560,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -550,7 +570,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +585,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
auth_use_nsswitch(cups_pdf_t)
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
optional_policy(`
- lpd_manage_spool(cups_pdf_t)
+ gnome_read_config(cups_pdf_t)
')
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
-')
-
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
@@ -735,7 +629,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_all_recvfrom_unlabeled(ptal_t)
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +638,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
-dev_read_sysfs(ptal_t)
dev_read_usbfs(ptal_t)
dev_rw_printer(ptal_t)
domain_use_interactive_fds(ptal_t)
-files_read_etc_files(ptal_t)
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -759,8 +650,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
-miscfiles_read_localization(ptal_t)
-
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +662,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
+
diff --git a/cvs.if b/cvs.if
index 64775fd..bff3111 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
## Concurrent versions system.
+######################################
+##
+## Dontaudit Attempts to list the CVS data and metadata.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cvs_dontaudit_list_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
########################################
##
## Read CVS data and metadata content.
@@ -62,9 +80,14 @@ interface(`cvs_admin',`
type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
+ allow $1 cvs_t:process signal_perms;
ps_process_pattern($1, cvs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cvs_t:process ptrace;
+ ')
+
+ # Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
diff --git a/cvs.te b/cvs.te
index 0f77550..f98a932 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
## password files.
##
##
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
type cvs_t;
type cvs_exec_t;
@@ -74,6 +74,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
@@ -86,18 +95,18 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
+init_dontaudit_read_utmp(cvs_t)
+
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-miscfiles_read_localization(cvs_t)
-
mta_send_mail(cvs_t)
userdom_dontaudit_search_user_home_dirs(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
+tunable_policy(`cvs_read_shadow',`
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
@@ -120,4 +129,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
index 77ffc73..86e11f5 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
corecmd_search_bin(cyphesis_t)
corecmd_getattr_bin_files(cyphesis_t)
-corenet_all_recvfrom_unlabeled(cyphesis_t)
corenet_tcp_sendrecv_generic_if(cyphesis_t)
corenet_tcp_sendrecv_generic_node(cyphesis_t)
corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
domain_use_interactive_fds(cyphesis_t)
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
logging_send_syslog_msg(cyphesis_t)
-miscfiles_read_localization(cyphesis_t)
-
sysnet_dns_name_resolve(cyphesis_t)
optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 83bfda6..92d9fb2 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
')
+#######################################
+##
+## Allow write cyrus data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cyrus_write_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
########################################
##
## Connect to Cyrus using a unix
@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
type cyrus_keytab_t;
')
- allow $1 cyrus_t:process { ptrace signal_perms };
+ allow $1 cyrus_t:process signal_perms;
ps_process_pattern($1, cyrus_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cyrus_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 4283f2d..0632ef7 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
-corenet_all_recvfrom_unlabeled(cyrus_t)
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_generic_if(cyrus_t)
corenet_tcp_sendrecv_generic_node(cyrus_t)
@@ -76,6 +75,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_sendrecv_innd_server_packets(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
+
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
@@ -95,8 +97,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
-files_read_usr_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
@@ -107,7 +107,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
-miscfiles_read_localization(cyrus_t)
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
@@ -121,6 +120,10 @@ optional_policy(`
')
optional_policy(`
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
kerberos_read_keytab(cyrus_t)
kerberos_use(cyrus_t)
')
@@ -134,8 +137,8 @@ optional_policy(`
')
optional_policy(`
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_manage_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
')
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0..6c8106a 100644
--- a/daemontools.if
+++ b/daemontools.if
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
')
+
diff --git a/daemontools.te b/daemontools.te
index ee1b4aa..2fd746e 100644
--- a/daemontools.te
+++ b/daemontools.te
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
allow svc_multilog_t svc_start_t:fd use;
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
+term_write_console(svc_multilog_t)
+
init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
logging_manage_generic_logs(svc_multilog_t)
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-files_read_etc_files(svc_run_t)
+term_write_console(svc_run_t)
+
files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
files_search_var_lib(svc_run_t)
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
can_exec(svc_start_t, svc_start_exec_t)
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
kernel_read_kernel_sysctls(svc_start_t)
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
-files_read_etc_files(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
logging_send_syslog_msg(svc_start_t)
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
index 5a5e290..6321a1d 100644
--- a/dante.te
+++ b/dante.te
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
domain_use_interactive_fds(dante_t)
-files_read_etc_files(dante_t)
files_read_etc_runtime_files(dante_t)
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
index b60c464..3a5246a 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
role dbadm_r;
-userdom_base_user_template(dbadm)
+userdom_confined_admin_template(dbadm)
########################################
#
# Local policy
#
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
@@ -60,3 +61,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/dbskk.te b/dbskk.te
index f55c420..e9d64ab 100644
--- a/dbskk.te
+++ b/dbskk.te
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
-corenet_all_recvfrom_unlabeled(dbskkd_t)
corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_generic_if(dbskkd_t)
corenet_udp_sendrecv_generic_if(dbskkd_t)
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
fs_getattr_xattr_fs(dbskkd_t)
-files_read_etc_files(dbskkd_t)
auth_use_nsswitch(dbskkd_t)
logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
index dda905b..31f269b 100644
--- a/dbus.fc
+++ b/dbus.fc
@@ -1,20 +1,26 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+ifdef(`distro_redhat',`
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index 62d22cb..fefd4b4 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
-## Desktop messaging bus.
+## Desktop messaging bus
########################################
##
@@ -19,7 +19,7 @@ interface(`dbus_stub',`
########################################
##
-## Role access for dbus.
+## Role access for dbus
##
##
##
@@ -41,59 +41,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
- attribute session_bus_type;
- type system_dbusd_t, dbusd_exec_t;
- type session_dbusd_tmp_t, session_dbusd_home_t;
+ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
#
- # Declarations
+ # Delcarations
#
type $1_dbusd_t, session_bus_type;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ application_domain($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
-
role $2 types $1_dbusd_t;
+ kernel_read_system_state($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+
+ userdom_home_manager($1_dbusd_t)
+
##############################
#
# Local policy
#
+ # For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $3 $1_dbusd_t:fd use;
-
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+ # SE-DBus specific permissions
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
ps_process_pattern($3, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { ptrace signal_perms };
+ allow $3 $1_dbusd_t:process signal_perms;
- allow $1_dbusd_t $3:process sigkill;
+ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_dbusd_t:process ptrace;
+ ')
- corecmd_bin_domtrans($1_dbusd_t, $3)
- corecmd_shell_domtrans($1_dbusd_t, $3)
+ # cjp: this seems very broken
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
auth_use_nsswitch($1_dbusd_t)
- ifdef(`hide_broken_symptoms',`
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ logging_send_syslog_msg($1_dbusd_t)
+
+ optional_policy(`
+ mozilla_domtrans_spec($1_dbusd_t, $1_t)
')
')
#######################################
##
## Template for creating connections to
-## the system bus.
+## the system DBUS.
##
##
##
@@ -103,65 +112,29 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
- attribute dbusd_system_bus_client;
- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
- typeattribute $1 dbusd_system_bus_client;
-
+ # SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
- allow system_dbusd_t $1:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
dbus_read_config($1)
')
#######################################
##
-## Acquire service on DBUS
-## session bus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dbus_connect_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
- dbus_connect_all_session_bus($1)
-')
-
-#######################################
-##
-## Acquire service on all DBUS
-## session busses.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dbus_connect_all_session_bus',`
- gen_require(`
- attribute session_bus_type;
- class dbus acquire_svc;
- ')
-
- allow $1 session_bus_type:dbus acquire_svc;
-')
-
-#######################################
-##
-## Acquire service on specified
-## DBUS session bus.
+## Creating connections to specified
+## DBUS sessions.
##
##
##
@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
##
##
#
-interface(`dbus_connect_spec_session_bus',`
+interface(`dbus_session_client',`
gen_require(`
+ class dbus send_msg;
type $1_dbusd_t;
- class dbus acquire_svc;
')
- allow $2 $1_dbusd_t:dbus acquire_svc;
+ allow $2 $1_dbusd_t:fd use;
+ allow $2 { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
')
#######################################
##
-## Creating connections to DBUS
-## session bus.
+## Template for creating connections to
+## a user DBUS.
##
##
##
@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
##
#
interface(`dbus_session_bus_client',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
- dbus_all_session_bus_client($1)
-')
-
-#######################################
-##
-## Creating connections to all
-## DBUS session busses.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dbus_all_session_bus_client',`
gen_require(`
- attribute session_bus_type, dbusd_session_bus_client;
+ attribute session_bus_type;
class dbus send_msg;
')
- typeattribute $1 dbusd_session_bus_client;
-
+ # SE-DBus specific permissions
allow $1 { session_bus_type self }:dbus send_msg;
- allow session_bus_type $1:dbus send_msg;
-
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
-')
-#######################################
-##
-## Creating connections to specified
-## DBUS session bus.
-##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dbus_spec_session_bus_client',`
- gen_require(`
- attribute dbusd_session_bus_client;
- type $1_dbusd_t;
- class dbus send_msg;
- ')
-
- typeattribute $2 dbusd_session_bus_client;
-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- allow $2 $1_dbusd_t:fd use;
+ allow session_bus_type $1:process sigkill;
')
-#######################################
+########################################
##
-## Send messages to DBUS session bus.
+## Send a message the session DBUS.
##
##
##
@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
##
#
interface(`dbus_send_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
- dbus_send_all_session_bus($1)
-')
-
-#######################################
-##
-## Send messages to all DBUS
-## session busses.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dbus_send_all_session_bus',`
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
-')
-
-#######################################
-##
-## Send messages to specified
-## DBUS session busses.
-##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dbus_send_spec_session_bus',`
- gen_require(`
- type $1_dbusd_t;
- class dbus send_msg;
- ')
-
- allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1 session_bus_type:dbus send_msg;
')
########################################
##
-## Read dbus configuration content.
+## Read dbus configuration.
##
##
##
@@ -381,69 +265,32 @@ interface(`dbus_manage_lib_files',`
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
-##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
-##
-##
-## Type to be used as a domain.
-##
-##
-##
-##
-## Type of the program to be used as an
-## entry point to this domain.
-##
-##
-#
-interface(`dbus_session_domain',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
- dbus_all_session_domain($1, $2)
-')
-
-########################################
-##
-## Allow a application domain to be
-## started by the specified session bus.
+## Connect to the system DBUS
+## for service (acquire_svc).
##
##
##
-## Type to be used as a domain.
-##
-##
-##
-##
-## Type of the program to be used as an
-## entry point to this domain.
+## Domain allowed access.
##
##
#
-interface(`dbus_all_session_domain',`
+interface(`dbus_connect_session_bus',`
gen_require(`
- type session_bus_type;
+ attribute session_bus_type;
+ class dbus acquire_svc;
')
- domtrans_pattern(session_bus_type, $2, $1)
-
- dbus_all_session_bus_client($1)
- dbus_connect_all_session_bus($1)
+ allow $1 session_bus_type:dbus acquire_svc;
')
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
+## Allow a application domain to be started
+## by the session dbus.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## User domain prefix to be used.
##
##
##
@@ -458,20 +305,21 @@ interface(`dbus_all_session_domain',`
##
##
#
-interface(`dbus_spec_session_domain',`
+interface(`dbus_session_domain',`
gen_require(`
type $1_dbusd_t;
')
domtrans_pattern($1_dbusd_t, $2, $3)
- dbus_spec_session_bus_client($1, $2)
- dbus_connect_spec_session_bus($1, $2)
+ dbus_session_bus_client($3)
+ dbus_connect_session_bus($3)
')
########################################
##
-## Acquire service on the DBUS system bus.
+## Connect to the system DBUS
+## for service (acquire_svc).
##
##
##
@@ -490,7 +338,7 @@ interface(`dbus_connect_system_bus',`
########################################
##
-## Send messages to the DBUS system bus.
+## Send a message on the system DBUS.
##
##
##
@@ -509,7 +357,7 @@ interface(`dbus_send_system_bus',`
########################################
##
-## Unconfined access to DBUS system bus.
+## Allow unconfined access to the system DBUS.
##
##
##
@@ -528,8 +376,8 @@ interface(`dbus_system_bus_unconfined',`
########################################
##
-## Create a domain for processes which
-## can be started by the DBUS system bus.
+## Create a domain for processes
+## which can be started by the system dbus
##
##
##
@@ -544,33 +392,24 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
+ attribute system_bus_type;
type system_dbusd_t;
role system_r;
')
+ typeattribute $1 system_bus_type;
domain_type($1)
domain_entry_file($1, $2)
- role system_r types $1;
-
domtrans_pattern(system_dbusd_t, $2, $1)
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
+ ps_process_pattern($1, system_dbusd_t)
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
')
########################################
##
-## Use and inherit DBUS system bus
-## file descriptors.
+## Use and inherit system DBUS file descriptors.
##
##
##
@@ -588,26 +427,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
-## Do not audit attempts to read and
-## write DBUS system bus TCP sockets.
+## Allow unconfined access to the system DBUS.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_unconfined',`
gen_require(`
- type system_dbusd_t;
+ attribute dbusd_unconfined;
')
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
+ typeattribute $1 dbusd_unconfined;
')
########################################
##
-## Unconfined access to DBUS.
+## Delete all dbus pid files
##
##
##
@@ -615,10 +453,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
-interface(`dbus_unconfined',`
+interface(`dbus_delete_pid_files',`
gen_require(`
- attribute dbusd_unconfined;
+ type system_dbusd_var_run_t;
')
- typeattribute $1 dbusd_unconfined;
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+##
+## Read all dbus pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_read_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+##
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dbus_dontaudit_stream_connect_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Do not audit attempts to send dbus
+## messages to session bus types.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dbus_dontaudit_chat_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 session_bus_type:dbus send_msg;
+')
+
+########################################
+##
+## Do not audit attempts to send dbus
+## messages to system bus types.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dbus_dontaudit_chat_system_bus',`
+ gen_require(`
+ attribute system_bus_type;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 system_bus_type:dbus send_msg;
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
index c9998c8..163708f 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
class dbus all_dbus_perms;
')
-########################################
+##############################
#
-# Declarations
+# Delcarations
#
attribute dbusd_unconfined;
+attribute system_bus_type;
attribute session_bus_type;
-attribute dbusd_system_bus_client;
-attribute dbusd_session_bus_client;
-
type dbusd_etc_t;
files_config_file(dbusd_etc_t)
@@ -22,9 +20,6 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
-type session_dbusd_home_t;
-userdom_user_home_content(session_dbusd_home_t)
-
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
+mls_trusted_object(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
-########################################
+##############################
#
-# Local policy
+# System bus local policy
#
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t, dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
-
-can_exec(system_dbusd_t, dbusd_exec_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_shell(system_dbusd_t)
-
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
+dev_rw_inherited_input_dev(system_dbusd_t)
+dev_rw_inherited_dri(system_dbusd_t)
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_rw_inherited_non_security_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
-fs_search_cgroup_dirs(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
+mls_trusted_object(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_list_home(system_dbusd_t)
+
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-miscfiles_read_localization(system_dbusd_t)
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+userdom_home_reader(system_dbusd_t)
+
+optional_policy(`
+ bind_domtrans(system_dbusd_t)
+')
+
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
optional_policy(`
- policykit_read_lib(system_dbusd_t)
+ cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+ networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
- seutil_sigchld_newrole(system_dbusd_t)
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
+# These are caused by broken systemd patch
+ systemd_start_power_services(system_dbusd_t)
+ systemd_config_all_services(system_dbusd_t)
+ files_config_all_files(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
########################################
#
-# Common session bus local policy
+# system_bus_type rules
#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+########################################
+#
+# session_bus_type rules
+#
+allow session_bus_type self:capability2 block_suspend;
dontaudit session_bus_type self:capability sys_resource;
allow session_bus_type self:process { getattr sigkill signal };
-dontaudit session_bus_type self:process { ptrace setrlimit };
+dontaudit session_bus_type self:process setrlimit;
allow session_bus_type self:file { getattr read write };
allow session_bus_type self:fifo_file rw_fifo_file_perms;
allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket { accept listen };
-allow session_bus_type self:tcp_socket { accept listen };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
allow session_bus_type self:netlink_selinux_socket create_socket_perms;
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
-
manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
-kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
-corenet_all_recvfrom_unlabeled(session_bus_type)
-corenet_all_recvfrom_netlabel(session_bus_type)
corenet_tcp_sendrecv_generic_if(session_bus_type)
corenet_tcp_sendrecv_generic_node(session_bus_type)
corenet_tcp_sendrecv_all_ports(session_bus_type)
corenet_tcp_bind_generic_node(session_bus_type)
-
-corenet_sendrecv_all_server_packets(session_bus_type)
corenet_tcp_bind_reserved_port(session_bus_type)
dev_read_urand(session_bus_type)
-domain_read_all_domains_state(session_bus_type)
domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
files_list_home(session_bus_type)
-files_read_usr_files(session_bus_type)
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
-selinux_get_fs_mount(session_bus_type)
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
-logging_send_syslog_msg(session_bus_type)
-
-miscfiles_read_localization(session_bus_type)
seutil_read_config(session_bus_type)
seutil_read_default_contexts(session_bus_type)
-term_use_all_terms(session_bus_type)
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
optional_policy(`
- xserver_use_xdm_fds(session_bus_type)
+ gnome_read_config(session_bus_type)
+ gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+ thumb_domtrans(session_bus_type)
+')
+
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
')
########################################
@@ -244,5 +347,6 @@ optional_policy(`
# Unconfined access to this module
#
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
diff --git a/dcc.fc b/dcc.fc
index 62d3c4e..cef59a7 100644
--- a/dcc.fc
+++ b/dcc.fc
@@ -10,6 +10,8 @@
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+
/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0..4639421 100644
--- a/dcc.if
+++ b/dcc.if
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
- files_search_var($1)
+ files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
index 353fa4a..a5e912f 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
files_type(dcc_var_t)
type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
type dccd_t;
type dccd_exec_t;
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
files_read_etc_runtime_files(cdcc_t)
auth_use_nsswitch(cdcc_t)
logging_send_syslog_msg(cdcc_t)
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
########################################
#
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
+
manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
files_read_etc_runtime_files(dcc_client_t)
fs_getattr_all_fs(dcc_client_t)
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
optional_policy(`
- amavis_read_spool_files(dcc_client_t)
+ antivirus_read_db(dcc_client_t)
')
optional_policy(`
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
files_read_etc_runtime_files(dcc_dbclean_t)
auth_use_nsswitch(dcc_dbclean_t)
logging_send_syslog_msg(dcc_dbclean_t)
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
########################################
#
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
-corenet_all_recvfrom_unlabeled(dccd_t)
corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_generic_node(dccd_t)
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
logging_send_syslog_msg(dccd_t)
-miscfiles_read_localization(dccd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_user_home_dirs(dccd_t)
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
dev_read_sysfs(dccifd_t)
domain_use_interactive_fds(dccifd_t)
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
logging_send_syslog_msg(dccifd_t)
-miscfiles_read_localization(dccifd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_user_home_dirs(dccifd_t)
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
dev_read_sysfs(dccm_t)
domain_use_interactive_fds(dccm_t)
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
logging_send_syslog_msg(dccm_t)
-miscfiles_read_localization(dccm_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_user_home_dirs(dccm_t)
diff --git a/ddclient.if b/ddclient.if
index 5606b40..cd18cf2 100644
--- a/ddclient.if
+++ b/ddclient.if
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
type ddclient_var_run_t, ddclient_initrc_exec_t;
')
- allow $1 ddclient_t:process { ptrace signal_perms };
+ allow $1 ddclient_t:process signal_perms;
ps_process_pattern($1, ddclient_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ddclient_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
index a4caa1b..42f3066 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
# Declarations
#
+
dontaudit ddclient_t self:capability sys_tty_config;
allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-corenet_all_recvfrom_unlabeled(ddclient_t)
corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
domain_use_interactive_fds(ddclient_t)
-files_read_etc_files(ddclient_t)
files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
+auth_read_passwd(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
-miscfiles_read_localization(ddclient_t)
+mta_send_mail(ddclient_t)
sysnet_exec_ifconfig(ddclient_t)
sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
index 8fa4bb9..8f5ffb0 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
-files_read_etc_files(ddcprobe_t)
files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
term_use_all_ttys(ddcprobe_t)
term_use_all_ptys(ddcprobe_t)
diff --git a/denyhosts.if b/denyhosts.if
index a7326da..c87b5b7 100644
--- a/denyhosts.if
+++ b/denyhosts.if
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
## Role allowed access.
##
##
+##
#
interface(`denyhosts_admin',`
gen_require(`
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
')
- allow $1 denyhosts_t:process { ptrace signal_perms };
+ allow $1 denyhosts_t:process signal_perms;
ps_process_pattern($1, denyhosts_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 denyhosts_t:process ptrace;
+ ')
+
denyhosts_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
- files_search_locks($1)
+ files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
index 583a527..bb77017 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# Local policy
#
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:fifo_file rw_fifo_file_perms;
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
corecmd_exec_bin(denyhosts_t)
corecmd_exec_shell(denyhosts_t)
-corenet_all_recvfrom_unlabeled(denyhosts_t)
corenet_all_recvfrom_netlabel(denyhosts_t)
corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
dev_read_urand(denyhosts_t)
+auth_use_nsswitch(denyhosts_t)
+
logging_read_generic_logs(denyhosts_t)
logging_send_syslog_msg(denyhosts_t)
-miscfiles_read_localization(denyhosts_t)
-
sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.if b/devicekit.if
index 8ce99ff..0819898 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
-## Devicekit modular hardware abstraction layer.
+## Devicekit modular hardware abstraction layer
########################################
##
@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',`
type devicekit_t, devicekit_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
')
########################################
##
+## Execute a domain transition to run devicekit_disk.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`devicekit_domtrans_disk',`
+ gen_require(`
+ type devicekit_disk_t, devicekit_disk_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
+########################################
+##
## Send to devicekit over a unix domain
## datagram socket.
##
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
#
interface(`devicekit_dgram_send',`
gen_require(`
- type devicekit_t, devicekit_var_run_t;
+ type devicekit_t;
')
- files_search_pids($1)
- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
+ allow $1 devicekit_t:unix_dgram_socket sendto;
')
########################################
@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
########################################
##
-## Send generic signals to devicekit power.
+## Use file descriptors for devicekit_disk.
##
##
##
@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
##
##
#
-interface(`devicekit_signal_power',`
+interface(`devicekit_use_fds_disk',`
gen_require(`
- type devicekit_power_t;
+ type devicekit_disk_t;
')
- allow $1 devicekit_power_t:process signal;
+ allow $1 devicekit_disk_t:fd use;
')
########################################
##
-## Send and receive messages from
-## devicekit power over dbus.
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`devicekit_dbus_chat_power',`
+interface(`devicekit_dontaudit_dbus_chat_disk',`
gen_require(`
- type devicekit_power_t;
+ type devicekit_disk_t;
class dbus send_msg;
')
- allow $1 devicekit_power_t:dbus send_msg;
- allow devicekit_power_t $1:dbus send_msg;
+ dontaudit $1 devicekit_disk_t:dbus send_msg;
+ dontaudit devicekit_disk_t $1:dbus send_msg;
')
########################################
##
-## Use and inherit devicekit power
-## file descriptors.
+## Send signal devicekit power
##
##
##
@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
##
##
#
-interface(`devicekit_use_fds_power',`
+interface(`devicekit_signal_power',`
gen_require(`
type devicekit_power_t;
')
- allow $1 devicekit_power_t:fd use;
+ allow $1 devicekit_power_t:process signal;
')
########################################
##
-## Append inherited devicekit log files.
+## Send and receive messages from
+## devicekit power over dbus.
##
##
##
@@ -149,40 +165,78 @@ interface(`devicekit_use_fds_power',`
##
##
#
+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+#######################################
+##
+## Use and inherit devicekit power
+## file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_use_fds_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:fd use;
+')
+
+#######################################
+##
+## Append inherited devicekit log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
interface(`devicekit_append_inherited_log_files',`
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
- allow $1 devicekit_var_log_t:file { getattr_file_perms append };
+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
devicekit_use_fds_power($1)
')
-########################################
+#######################################
##
-## Create, read, write, and delete
-## devicekit log files.
+## Do not audit attempts to write the devicekit
+## log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`devicekit_manage_log_files',`
+interface(`devicekit_dontaudit_rw_log',`
gen_require(`
type devicekit_var_log_t;
')
- logging_search_logs($1)
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
########################################
##
-## Relabel devicekit log files.
+## Allow the domain to read devicekit_power state files in /proc.
##
##
##
@@ -190,13 +244,13 @@ interface(`devicekit_manage_log_files',`
##
##
#
-interface(`devicekit_relabel_log_files',`
+interface(`devicekit_read_state_power',`
gen_require(`
- type devicekit_var_log_t;
+ type devicekit_power_t;
')
- logging_search_logs($1)
- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, devicekit_power_t)
')
########################################
@@ -220,11 +274,30 @@ interface(`devicekit_read_pid_files',`
########################################
##
-## Create, read, write, and delete
+## Do not audit attempts to read
## devicekit PID files.
##
##
##
+## Domain to not audit.
+##
+##
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+##
+## Manage devicekit PID files.
+##
+##
+##
## Domain allowed access.
##
##
@@ -235,22 +308,59 @@ interface(`devicekit_manage_pid_files',`
')
files_search_pids($1)
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+##
+## Relabel devicekit LOG files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_relabel_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
')
########################################
##
-## All of the rules required to
-## administrate an devicekit environment.
+## Manage devicekit LOG files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`devicekit_manage_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
@@ -259,21 +369,48 @@ interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
- type devicekit_var_log_t;
')
- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
+ allow $1 devicekit_t:process signal_perms;
+ ps_process_pattern($1, devicekit_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 devicekit_t:process ptrace;
+ allow $1 devicekit_disk_t:process ptrace;
+ allow $1 devicekit_power_t:process ptrace;
+ ')
+
+ allow $1 devicekit_disk_t:process signal_perms;
+ ps_process_pattern($1, devicekit_disk_t)
+
+ allow $1 devicekit_power_t:process signal_perms;
+ ps_process_pattern($1, devicekit_power_t)
- files_search_tmp($1)
admin_pattern($1, devicekit_tmp_t)
+ files_list_tmp($1)
- files_search_var_lib($1)
admin_pattern($1, devicekit_var_lib_t)
+ files_list_var_lib($1)
- logging_search_logs($1)
- admin_pattern($1, devicekit_var_log_t)
-
- files_search_pids($1)
admin_pattern($1, devicekit_var_run_t)
+ files_list_pids($1)
+')
+
+########################################
+##
+## Transition to devicekit named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_filetrans_named_content',`
+ gen_require(`
+ type devicekit_var_run_t, devicekit_var_log_t;
+ ')
+
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
index 77a5003..2728ee6 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
type devicekit_t;
type devicekit_exec_t;
-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
type devicekit_power_t;
type devicekit_power_exec_t;
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
type devicekit_disk_t;
type devicekit_disk_exec_t;
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
-
optional_policy(`
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +61,8 @@ optional_policy(`
# Disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
+files_filetrans_named_content(devicekit_disk_t)
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
+dev_rw_loop_control(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
+files_manage_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
logging_send_syslog_msg(devicekit_disk_t)
-miscfiles_read_localization(devicekit_disk_t)
-
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
optional_policy(`
+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -170,6 +171,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
+ mount_read_pid_files(devicekit_disk_t)
')
optional_policy(`
@@ -183,6 +185,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(devicekit_disk_t)
+ systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
udev_read_pid_files(devicekit_disk_t)
@@ -192,12 +199,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
########################################
#
# Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
+allow devicekit_power_t self:capability2 compromise_kernel;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
-files_read_usr_files(devicekit_power_t)
files_dontaudit_list_mnt(devicekit_power_t)
fs_getattr_all_fs(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
-miscfiles_read_localization(devicekit_power_t)
-
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
@@ -277,6 +286,12 @@ optional_policy(`
')
optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+ cron_systemctl(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -307,8 +322,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_manage_home_config(devicekit_power_t)
+')
+
+optional_policy(`
hal_domtrans_mac(devicekit_power_t)
- hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
@@ -347,3 +365,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ corenet_tcp_connect_xserver_port(devicekit_power_t)
+ xserver_stream_connect(devicekit_power_t)
+')
+
diff --git a/dhcp.fc b/dhcp.fc
index 8182c48..74d8d39 100644
--- a/dhcp.fc
+++ b/dhcp.fc
@@ -1,4 +1,5 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edb..31d45bf 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
')
sysnet_search_dhcp_state($1)
- allow $1 dhcpd_state_t:file setattr;
+ allow $1 dhcpd_state_t:file setattr_file_perms;
')
########################################
@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
########################################
##
+## Execute dhcpd server in the dhcpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dhcpd_systemctl',`
+ gen_require(`
+ type dhcpd_unit_file_t;
+ type dhcpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dhcpd_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an dhcpd environment.
##
@@ -79,11 +103,16 @@ interface(`dhcpd_admin',`
gen_require(`
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ type dhcpd_unit_file_t;
')
- allow $1 dhcpd_t:process { ptrace signal_perms };
+ allow $1 dhcpd_t:process signal_perms;
ps_process_pattern($1, dhcpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dhcpd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dhcpd_initrc_exec_t system_r;
@@ -97,4 +126,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
+
+ dhcpd_systemctl($1)
+ admin_pattern($1, dhcpd_unit_file_t)
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
index 98a24b9..36e32aa 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
kernel_read_network_state(dhcpd_t)
-corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_generic_if(dhcpd_t)
corenet_udp_sendrecv_generic_if(dhcpd_t)
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
domain_use_interactive_fds(dhcpd_t)
-files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
-miscfiles_read_localization(dhcpd_t)
-
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
sysnet_use_ldap(dhcpd_t)
')
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/dictd.if b/dictd.if
index 3cc3494..cb0a1f4 100644
--- a/dictd.if
+++ b/dictd.if
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
type dictd_var_run_t, dictd_initrc_exec_t;
')
- allow $1 dictd_t:process { ptrace signal_perms };
+ allow $1 dictd_t:process signal_perms;
ps_process_pattern($1, dictd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dictd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
index 433d3c5..0dccebf 100644
--- a/dictd.te
+++ b/dictd.te
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-corenet_all_recvfrom_unlabeled(dictd_t)
corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_generic_if(dictd_t)
corenet_tcp_sendrecv_generic_node(dictd_t)
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
domain_use_interactive_fds(dictd_t)
files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
fs_getattr_xattr_fs(dictd_t)
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
logging_send_syslog_msg(dictd_t)
-miscfiles_read_localization(dictd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
diff --git a/dirmngr.te b/dirmngr.te
index b3b2188..5f91705 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
-files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
index 0000000..8c44697
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,15 @@
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
index 0000000..30416f2
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,133 @@
+## Administration Server for Directory Server, dirsrv-admin.
+
+########################################
+##
+## Exec dirsrv-admin programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_run_exec',`
+ gen_require(`
+ type dirsrvadmin_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+##
+## Exec cgi programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_run_httpd_script_exec',`
+ gen_require(`
+ type httpd_dirsrvadmin_script_exec_t;
+ ')
+
+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_read_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_manage_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+##
+## Read dirsrv-adminserver tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_read_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_manage_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+#######################################
+##
+## Execute admin cgi programs in caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+ gen_require(`
+ type dirsrvadmin_unconfined_script_t;
+ type dirsrvadmin_unconfined_script_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
index 0000000..021c5ae
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,157 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+ apache_domtrans(dirsrvadmin_t)
+ apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+ apache_content_template(dirsrvadmin)
+
+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
+
+ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
+ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
+
+ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
+
+ files_search_var_lib(httpd_dirsrvadmin_script_t)
+
+ sysnet_read_config(httpd_dirsrvadmin_script_t)
+
+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ optional_policy(`
+ apache_read_modules(httpd_dirsrvadmin_script_t)
+ apache_read_config(httpd_dirsrvadmin_script_t)
+ apache_signal(httpd_dirsrvadmin_script_t)
+ apache_signull(httpd_dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+ dirsrv_signal(httpd_dirsrvadmin_script_t)
+ dirsrv_signull(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
+ ')
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 0000000..5d30dab
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
+/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/dirsrv.if b/dirsrv.if
new file mode 100644
index 0000000..b214253
--- /dev/null
+++ b/dirsrv.if
@@ -0,0 +1,208 @@
+## policy for dirsrv
+
+########################################
+##
+## Execute a domain transition to run dirsrv.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dirsrv_domtrans',`
+ gen_require(`
+ type dirsrv_t, dirsrv_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+
+########################################
+##
+## Allow caller to signal dirsrv.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_signal',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+##
+## Send a null signal to dirsrv.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_signull',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_log',`
+ gen_require(`
+ type dirsrv_var_log_t;
+ ')
+
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv /var/lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_var_lib',`
+ gen_require(`
+ type dirsrv_var_lib_t;
+ ')
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+##
+## Connect to dirsrv over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_stream_connect',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv /var/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+##
+## Allow a domain to create dirsrv pid directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_pid_filetrans',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+##
+## Allow a domain to read dirsrv /var/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_read_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
+ allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage dirsrv configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_config',`
+ gen_require(`
+ type dirsrv_config_t;
+ ')
+
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
+ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+##
+## Read dirsrv share files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_read_share',`
+ gen_require(`
+ type dirsrv_share_t;
+ ')
+
+ allow $1 dirsrv_share_t:dir list_dir_perms;
+ allow $1 dirsrv_share_t:file read_file_perms;
+ allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000..73d1b46
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,196 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+optional_policy(`
+ apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+ dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
+optional_policy(`
+ prelink_exec(dirsrv_t)
+')
+
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+ uuidd_stream_connect_manager(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/distcc.if b/distcc.if
index 24d8c74..1790ec5 100644
--- a/distcc.if
+++ b/distcc.if
@@ -19,7 +19,7 @@
#
interface(`distcc_admin',`
gen_require(`
- type distccd_t, distccd_t, distccd_log_t;
+ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
')
diff --git a/distcc.te b/distcc.te
index 898b2f4..8a1725b 100644
--- a/distcc.te
+++ b/distcc.te
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
-corenet_all_recvfrom_unlabeled(distccd_t)
corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_generic_if(distccd_t)
corenet_tcp_sendrecv_generic_node(distccd_t)
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
logging_send_syslog_msg(distccd_t)
-miscfiles_read_localization(distccd_t)
-
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
userdom_dontaudit_search_user_home_dirs(distccd_t)
diff --git a/djbdns.if b/djbdns.if
index 671d3c0..6d36c95 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_tcp_bind_generic_node(djbdns_$1_t)
+ corenet_udp_bind_generic_node(djbdns_$1_t)
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
')
#####################################
diff --git a/djbdns.te b/djbdns.te
index 87ca536..ebd327a 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
files_search_var(djbdns_domain)
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+
########################################
#
# axfrdns local policy
diff --git a/dkim.fc b/dkim.fc
index 5818418..674367b 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -9,7 +9,6 @@
/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f67..653a1ec 100644
--- a/dmidecode.if
+++ b/dmidecode.if
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
')
+######################################
+##
+## Execute dmidecode in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dmidecode_exec',`
+ gen_require(`
+ type dmidecode_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dmidecode_exec_t)
+')
+
########################################
##
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index aa0ef6e..02bdb68 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808..84735a8 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,13 +1,16 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b8..e34a540 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
##
##
#
-#
interface(`dnsmasq_domtrans',`
gen_require(`
type dnsmasq_exec_t, dnsmasq_t;
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
')
+#######################################
+##
+## Execute dnsmasq server in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dnsmasq_exec',`
+ gen_require(`
+ type dnsmasq_exec_t;
+ ')
+
+ can_exec($1, dnsmasq_exec_t)
+')
+
+########################################
+##
+## Allow read/write dnsmasq pipes
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_rw_inherited_pipes',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
##
## Execute the dnsmasq init script in
@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dnsmasq_systemctl',`
+ gen_require(`
+ type dnsmasq_unit_file_t;
+ type dnsmasq_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+##
+## Send sigchld to dnsmasq.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_sigchld',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process sigchld;
+')
+
+########################################
+##
## Send generic signals to dnsmasq.
##
##
@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',`
##
##
#
-#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
+
########################################
##
## Create, read, write, and delete
@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',`
########################################
##
-## Read dnsmasq pid files.
+## Read dnsmasq pid files
##
##
##
@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',`
##
##
#
-#
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
##
-## Create specified objects in specified
-## directories with a type transition to
-## the dnsmasq pid file type.
+## Transition to dnsmasq named content
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Directory to transition on.
-##
-##
-##
-##
-## The object class of the object being created.
+## Domain allowed access.
##
##
-##
+##
##
-## The name of the object being created.
+## The type of the directory for the object to be created.
##
##
#
-interface(`dnsmasq_spec_filetrans_pid',`
+interface(`dnsmasq_filetrans_named_content_fromdir',`
gen_require(`
type dnsmasq_var_run_t;
')
- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+#######################################
+##
+## Transition to dnsmasq named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+ files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+ files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
')
########################################
@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+ type dnsmasq_var_log_t;
+ type dnsmasq_initrc_exec_t;
+ type dnsmasq_unit_file_t;
')
- allow $1 dnsmasq_t:process { ptrace signal_perms };
+ allow $1 dnsmasq_t:process signal_perms;
ps_process_pattern($1, dnsmasq_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dnsmasq_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
- logging_seearch_logs($1)
+ logging_search_logs($1)
admin_pattern($1, dnsmasq_var_log_t)
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
+
+ dnsmasq_systemctl($1)
+ admin_pattern($1, dnsmasq_unit_file_t)
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
index 37a3b7b..921056a 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
########################################
#
# Local policy
@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corecmd_exec_bin(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
-logging_send_syslog_msg(dnsmasq_t)
+libs_exec_ldconfig(dnsmasq_t)
-miscfiles_read_localization(dnsmasq_t)
+logging_send_syslog_msg(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -98,12 +105,21 @@ optional_policy(`
')
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
dbus_connect_system_bus(dnsmasq_t)
dbus_system_bus_client(dnsmasq_t)
')
optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t)
+ dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
+ networkmanager_manage_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -124,6 +140,14 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
+ virt_read_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
+
+optional_policy(`
+ neutron_manage_lib_files(dnsmasq_t)
+ neutron_stream_connect(dnsmasq_t)
+ neutron_rw_fifo_file(dnsmasq_t)
+ neutron_sigchld(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..9e231a8
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,3 @@
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
index 0000000..a952041
--- /dev/null
+++ b/dnssec.if
@@ -0,0 +1,64 @@
+
+## policy for dnssec_trigger
+
+########################################
+##
+## Transition to dnssec_trigger.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dnssec_trigger_domtrans',`
+ gen_require(`
+ type dnssec_trigger_t, dnssec_trigger_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
+########################################
+##
+## Read dnssec_trigger PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnssec_trigger_read_pid_files',`
+ gen_require(`
+ type dnssec_trigger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an dnssec_trigger environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnssec_trigger_admin',`
+ gen_require(`
+ type dnssec_trigger_t;
+ type dnssec_trigger_var_run_t;
+ ')
+
+ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dnssec_trigger_t)
+
+ files_search_pids($1)
+ admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 0000000..7f715f8
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,58 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnssec_trigger_t;
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
+########################################
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability linux_immutable;
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
+
+kernel_read_system_state(dnssec_trigger_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_read_passwd(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+
+optional_policy(`
+ bind_read_config(dnssec_trigger_t)
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
logging_send_syslog_msg(dnssec_triggerd_t)
-miscfiles_read_localization(dnssec_triggerd_t)
-
sysnet_dns_name_resolve(dnssec_triggerd_t)
sysnet_manage_config(dnssec_triggerd_t)
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
index 0000000..484dd44
--- /dev/null
+++ b/docker.fc
@@ -0,0 +1,12 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
+
+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
+
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
+
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
+
+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0)
\ No newline at end of file
diff --git a/docker.if b/docker.if
new file mode 100644
index 0000000..d856375
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,196 @@
+
+## The open-source application container engine.
+
+########################################
+##
+## Execute docker in the docker domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`docker_domtrans',`
+ gen_require(`
+ type docker_t, docker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, docker_exec_t, docker_t)
+')
+
+########################################
+##
+## Search docker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_search_lib',`
+ gen_require(`
+ type docker_var_lib_t;
+ ')
+
+ allow $1 docker_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read docker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_read_lib_files',`
+ gen_require(`
+ type docker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
+##
+## Manage docker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_manage_lib_files',`
+ gen_require(`
+ type docker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
+##
+## Manage docker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_manage_lib_dirs',`
+ gen_require(`
+ type docker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
+##
+## Read docker PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_read_pid_files',`
+ gen_require(`
+ type docker_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, docker_var_run_t, docker_var_run_t)
+')
+
+########################################
+##
+## Execute docker server in the docker domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`docker_systemctl',`
+ gen_require(`
+ type docker_t;
+ type docker_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 docker_unit_file_t:file read_file_perms;
+ allow $1 docker_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, docker_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an docker environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_admin',`
+ gen_require(`
+ type docker_t;
+ type docker_var_lib_t, docker_var_run_t;
+ type docker_unit_file_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
+ ps_process_pattern($1, docker_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, docker_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, docker_var_run_t)
+
+ docker_systemctl($1)
+ admin_pattern($1, docker_unit_file_t)
+ allow $1 docker_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+##
+## Read and write docker shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`docker_rw_sem',`
+ gen_require(`
+ type docker_t;
+ ')
+
+ allow $1 docker_t:sem rw_sem_perms;
+')
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..f156949
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,145 @@
+policy_module(docker, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type docker_t;
+type docker_exec_t;
+init_daemon_domain(docker_t, docker_exec_t)
+
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
+type docker_log_t;
+logging_log_file(docker_log_t)
+
+type docker_tmp_t;
+files_tmp_file(docker_tmp_t)
+
+type docker_var_run_t;
+files_pid_file(docker_var_run_t)
+
+type docker_unit_file_t;
+systemd_unit_file(docker_unit_file_t)
+
+########################################
+#
+# docker local policy
+#
+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
+allow docker_t self:process signal_perms;
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(docker_t)
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
+corecmd_exec_bin(docker_t)
+corecmd_exec_shell(docker_t)
+
+corenet_tcp_bind_generic_node(docker_t)
+
+files_read_etc_files(docker_t)
+
+fs_read_cgroup_files(docker_t)
+
+auth_use_nsswitch(docker_t)
+
+miscfiles_read_localization(docker_t)
+
+mount_domtrans(docker_t)
+
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
+
+optional_policy(`
+ fstools_domtrans(docker_t)
+')
+
+optional_policy(`
+ iptables_domtrans(docker_t)
+')
+
+#
+# lxc rules
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
+allow docker_t self:process { setpgid setsched signal_perms };
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
+allow docker_t self:unix_dgram_socket create_socket_perms;
+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow docker_t docker_var_lib_t:dir mounton;
+allow docker_t docker_var_lib_t:chr_file mounton;
+can_exec(docker_t, docker_var_lib_t)
+
+kernel_setsched(docker_t)
+kernel_get_sysvipc_info(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
+dev_getattr_sysfs_fs(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
+dev_rw_lvm_control(docker_t)
+
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
+files_manage_isid_type_symlinks(docker_t)
+files_manage_isid_type_chr_files(docker_t)
+files_exec_isid_files(docker_t)
+files_mounton_isid(docker_t)
+files_mounton_non_security(docker_t)
+
+fs_mount_all_fs(docker_t)
+fs_unmount_all_fs(docker_t)
+fs_remount_all_fs(docker_t)
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
+
+term_use_generic_ptys(docker_t)
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
+
+modutils_domtrans_insmod(docker_t)
+
+optional_policy(`
+ udev_read_db(docker_t)
+')
+
+optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
+')
+
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -1,36 +1,48 @@
-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /etc
+#
+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
index d5badb7..b093baa 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
-## POP and IMAP mail server.
+## Dovecot POP and IMAP mail server
+
+######################################
+##
+## Creates types and rules for a basic
+## dovecot daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`dovecot_basic_types_template',`
+ gen_require(`
+ attribute dovecot_domain;
+ ')
+
+ type $1_t, dovecot_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
#######################################
##
-## Connect to dovecot using a unix
-## domain stream socket.
+## Connect to dovecot unix domain stream socket.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`dovecot_stream_connect',`
- gen_require(`
- type dovecot_t, dovecot_var_run_t;
- ')
+ gen_require(`
+ type dovecot_t, dovecot_var_run_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
')
########################################
##
-## Connect to dovecot using a unix
-## domain stream socket.
+## Connect to dovecot auth unix domain stream socket.
##
##
##
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
########################################
##
-## Execute dovecot_deliver in the
-## dovecot_deliver domain.
+## Execute dovecot_deliver in the dovecot_deliver domain.
##
##
##
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
type dovecot_deliver_t, dovecot_deliver_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
##
-## Create, read, write, and delete
-## dovecot spool files.
+## Create, read, write, and delete the dovecot spool files.
##
##
##
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
')
files_search_spool($1)
- allow $1 dovecot_spool_t:dir manage_dir_perms;
- allow $1 dovecot_spool_t:file manage_file_perms;
- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
########################################
##
-## Do not audit attempts to delete
-## dovecot lib files.
+## Do not audit attempts to delete dovecot lib files.
##
##
##
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
type dovecot_var_lib_t;
')
- dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
+ dontaudit $1 dovecot_var_lib_t:file unlink;
')
######################################
##
-## Write inherited dovecot tmp files.
+## Allow attempts to write inherited
+## dovecot tmp files.
##
##
##
@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
########################################
##
-## All of the rules required to
-## administrate an dovecot environment.
+## All of the rules required to administrate
+## an dovecot environment
##
##
##
@@ -132,7 +148,7 @@ interface(`dovecot_write_inherited_tmp_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the dovecot domain.
##
##
##
@@ -146,9 +162,13 @@ interface(`dovecot_admin',`
type dovecot_keytab_t;
')
- allow $1 dovecot_t:process { ptrace signal_perms };
+ allow $1 dovecot_t:process signal_perms;
ps_process_pattern($1, dovecot_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dovecot_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dovecot_initrc_exec_t system_r;
@@ -157,20 +177,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
- logging_list_logs($1)
- admin_pattern($1, dovecot_var_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
- files_search_tmp($1)
- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
-
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
index 0aabc7e..71459e8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
attribute dovecot_domain;
-type dovecot_t, dovecot_domain;
-type dovecot_exec_t;
+dovecot_basic_types_template(dovecot)
init_daemon_domain(dovecot_t, dovecot_exec_t)
-type dovecot_auth_t, dovecot_domain;
-type dovecot_auth_exec_t;
+dovecot_basic_types_template(dovecot_auth)
domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
miscfiles_cert_type(dovecot_cert_t)
-type dovecot_deliver_t, dovecot_domain;
-type dovecot_deliver_exec_t;
+dovecot_basic_types_template(dovecot_deliver)
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
@@ -45,11 +42,12 @@ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
+# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
@@ -59,20 +57,18 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-########################################
+#######################################
#
-# Common local policy
+# dovecot domain local policy
#
allow dovecot_domain self:capability2 block_suspend;
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
+kernel_read_network_state(dovecot_domain)
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
@@ -81,26 +77,34 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_domain)
-logging_send_syslog_msg(dovecot_domain)
-
-miscfiles_read_localization(dovecot_domain)
-
########################################
#
-# Local policy
+# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
allow dovecot_t dovecot_keytab_t:file read_file_perms;
@@ -108,12 +112,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -125,45 +130,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
-corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
-
-corenet_sendrecv_mail_server_packets(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
-corenet_sendrecv_sieve_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
-
-corenet_sendrecv_all_client_packets(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
domain_use_interactive_fds(dovecot_t)
-files_read_var_lib_files(dovecot_t)
-files_read_var_symlinks(dovecot_t)
files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_getattr_all_dirs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
+files_read_var_lib_files(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -171,45 +166,44 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
+logging_send_syslog_msg(dovecot_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+ mta_manage_home_rw(dovecot_t)
+ mta_manage_spool(dovecot_t)
')
optional_policy(`
kerberos_manage_host_rcache(dovecot_t)
kerberos_read_keytab(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
kerberos_use(dovecot_t)
')
optional_policy(`
- mta_manage_spool(dovecot_t)
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+ gnome_manage_data(dovecot_t)
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
')
optional_policy(`
- postfix_manage_private_sockets(dovecot_t)
- postfix_search_spool(dovecot_t)
+ postgresql_stream_connect(dovecot_t)
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
@@ -227,46 +221,65 @@ optional_policy(`
########################################
#
-# Auth local policy
+# dovecot auth local policy
#
allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+corecmd_exec_bin(dovecot_auth_t)
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
-init_rw_utmp(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
-logging_send_audit_msgs(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
+init_rw_utmp(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
+systemd_login_read_pid_files(dovecot_auth_t)
+
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
+ # for gssapi (kerberos)
userdom_list_user_tmp(dovecot_auth_t)
userdom_read_user_tmp_files(dovecot_auth_t)
userdom_read_user_tmp_symlinks(dovecot_auth_t)
')
optional_policy(`
+ mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
@@ -277,53 +290,79 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(dovecot_auth_t)
+ optional_policy(`
+ oddjob_dbus_chat(dovecot_auth_t)
+ oddjob_domtrans_mkhomedir(dovecot_auth_t)
+ ')
+')
+
+optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_rw_inherited_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
')
########################################
#
-# Deliver local policy
+# dovecot deliver local policy
#
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
-
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
-allow dovecot_deliver_t dovecot_t:process signull;
+auth_use_nsswitch(dovecot_deliver_t)
-fs_getattr_all_fs(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+logging_send_syslog_msg(dovecot_deliver_t)
-auth_use_nsswitch(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
- fs_manage_nfs_files(dovecot_deliver_t)
- fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_filetrans_home_content(dovecot_deliver_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
- fs_manage_cifs_files(dovecot_deliver_t)
- fs_manage_cifs_symlinks(dovecot_deliver_t)
+userdom_home_manager(dovecot_deliver_t)
+
+optional_policy(`
+ gnome_manage_data(dovecot_deliver_t)
')
optional_policy(`
mta_mailserver_delivery(dovecot_deliver_t)
+ mta_manage_spool(dovecot_deliver_t)
mta_read_queue(dovecot_deliver_t)
')
@@ -332,5 +371,6 @@ optional_policy(`
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/drbd.if b/drbd.if
index 9a21639..26c5986 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
########################################
##
-## Execute a domain transition to
-## run drbd.
+## Execute a domain transition to run drbd.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
type drbd_t, drbd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, drbd_exec_t, drbd_t)
')
########################################
##
-## All of the rules required to
-## administrate an drbd environment.
+## Search drbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_search_lib',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read drbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_read_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## drbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_manage_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+##
+## Manage drbd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_manage_lib_dirs',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an drbd environment
##
##
##
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
## Role allowed access.
##
##
-##
#
interface(`drbd_admin',`
gen_require(`
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
type drbd_var_lib_t;
')
- allow $1 drbd_t:process { ptrace signal_perms };
+ allow $1 drbd_t:process signal_perms;
ps_process_pattern($1, drbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 drbd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, drbd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 drbd_initrc_exec_t system_r;
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
')
+
diff --git a/drbd.te b/drbd.te
index f2516cc..8975946 100644
--- a/drbd.te
+++ b/drbd.te
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
allow drbd_t self:netlink_socket create_socket_perms;
-allow drbd_t self:netlink_route_socket nlmsg_write;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
-files_read_etc_files(drbd_t)
-
storage_raw_read_fixed_disk(drbd_t)
-miscfiles_read_localization(drbd_t)
-
sysnet_dns_name_resolve(drbd_t)
diff --git a/dspam.fc b/dspam.fc
index 5eddac5..3ea0423 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -5,8 +5,13 @@
/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
+
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f2452..a446210 100644
--- a/dspam.if
+++ b/dspam.if
@@ -1,13 +1,15 @@
-## Content-based spam filter designed for multi-user enterprise systems.
+
+## policy for dspam
+
########################################
##
## Execute a domain transition to run dspam.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`dspam_domtrans',`
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
type dspam_t, dspam_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, dspam_exec_t, dspam_t)
')
-#######################################
+
+########################################
##
-## Connect to dspam using a unix
-## domain stream socket.
+## Execute dspam server in the dspam domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`dspam_initrc_domtrans',`
+ gen_require(`
+ type dspam_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+##
+## Allow the specified domain to read dspam's log files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`dspam_stream_connect',`
+interface(`dspam_read_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## dspam log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dspam_append_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+##
+## Allow domain to manage dspam log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dspam_manage_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+##
+## Search dspam lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_search_lib',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ allow $1 dspam_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read dspam lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_read_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## dspam lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_manage_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+##
+## Manage dspam lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_manage_lib_dirs',`
gen_require(`
- type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+##
+## Read dspam PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_read_pid_files',`
+ gen_require(`
+ type dspam_var_run_t;
')
files_search_pids($1)
+ allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Connect to DSPAM using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dspam_stream_connect',`
+ gen_require(`
+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ ')
+
+ files_search_pids($1)
files_search_tmp($1)
- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
')
########################################
##
-## All of the rules required to
-## administrate an dspam environment.
+## All of the rules required to administrate
+## an dspam environment
##
##
##
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
#
interface(`dspam_admin',`
gen_require(`
- type dspam_t, dspam_initrc_exec_t, dspam_log_t;
- type dspam_var_lib_t, dspam_var_run_t;
+ type dspam_t;
+ type dspam_initrc_exec_t;
+ type dspam_log_t;
+ type dspam_var_lib_t;
+ type dspam_var_run_t;
')
- allow $1 dspam_t:process { ptrace signal_perms };
+ allow $1 dspam_t:process signal_perms;
ps_process_pattern($1, dspam_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 dspam_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+ dspam_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 dspam_initrc_exec_t system_r;
allow $2 system_r;
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
files_search_pids($1)
admin_pattern($1, dspam_var_run_t)
+
')
diff --git a/dspam.te b/dspam.te
index ef62363..37c844b 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
allow dspam_t self:capability net_admin;
allow dspam_t self:process signal;
+
+allow dspam_t self:tcp_socket { listen accept };
+
allow dspam_t self:fifo_file rw_fifo_file_perms;
allow dspam_t self:unix_stream_socket { accept listen };
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
corenet_tcp_bind_spamd_port(dspam_t)
corenet_tcp_connect_spamd_port(dspam_t)
corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
files_search_spool(dspam_t)
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
-miscfiles_read_localization(dspam_t)
-
optional_policy(`
apache_content_template(dspam)
+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+ files_search_var_lib(httpd_dspam_script_t)
list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+
+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
+
+ term_dontaudit_search_ptys(httpd_dspam_script_t)
+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
+
+ init_read_utmp(httpd_dspam_script_t)
+
+ logging_send_syslog_msg(httpd_dspam_script_t)
+
+ mta_send_mail(httpd_dspam_script_t)
+
+ optional_policy(`
+ mysql_tcp_connect(httpd_dspam_script_t)
+ mysql_stream_connect(httpd_dspam_script_t)
+ ')
')
optional_policy(`
@@ -87,3 +114,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
+
+optional_policy(`
+ postfix_rw_inherited_master_pipes(dspam_t)
+ postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
+ procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
index b8b8328..4608c0c 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-files_read_etc_files(entropyd_t)
-files_read_usr_files(entropyd_t)
-
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
logging_send_syslog_msg(entropyd_t)
-miscfiles_read_localization(entropyd_t)
+auth_use_nsswitch(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/evolution.fc b/evolution.fc
index 597f305..8520653 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
diff --git a/evolution.te b/evolution.te
index c99e07c..ab9dd9f 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
-files_read_usr_files(evolution_t)
fs_search_auto_mountpoints(evolution_t)
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
userdom_manage_user_home_content_dirs(evolution_t)
userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_filetrans_home_content(evolution_t)
userdom_write_user_tmp_sockets(evolution_t)
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
dev_read_urand(evolution_alarm_t)
-files_read_usr_files(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
dev_read_urand(evolution_exchange_t)
-files_read_usr_files(evolution_exchange_t)
fs_search_auto_mountpoints(evolution_exchange_t)
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
dev_read_urand(evolution_server_t)
-files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
diff --git a/exim.if b/exim.if
index 9bbc690..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
########################################
##
-## Execute exim in the exim domain,
-## and allow the specified role
-## the exim domain.
+## Execute the mailman program in the mailman domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
##
-##
-## Role allowed access.
-##
+##
+## The role to allow the mailman domain.
+##
##
##
#
interface(`exim_run',`
+ gen_require(`
+ type exim_t;
+ ')
+
+ exim_domtrans($1)
+ role $2 types exim_t;
+')
+
+########################################
+##
+## Execute exim in the exim domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`exim_initrc_domtrans',`
gen_require(`
- attribute_role exim_roles;
+ type exim_initrc_exec_t;
')
- exim_domtrans($1)
- roleattribute $2 exim_roles;
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
')
########################################
##
-## Do not audit attempts to read exim
-## temporary tmp files.
+## Do not audit attempts to read,
+## exim tmp files
##
##
##
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
########################################
##
-## Read exim temporary files.
+## Allow domain to read, exim tmp files
##
##
##
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
########################################
##
-## Read exim pid files.
+## Read exim PID files.
##
##
##
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
########################################
##
-## Read exim log files.
+## Allow the specified domain to read exim's log files.
##
##
##
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
########################################
##
-## Append exim log files.
+## Allow the specified domain to append
+## exim log files.
##
##
##
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
########################################
##
-## Create, read, write, and delete
-## exim log files.
+## Allow the specified domain to manage exim's log files.
##
##
##
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
########################################
##
## Create, read, write, and delete
-## exim spool directories.
+## exim spool dirs.
##
##
##
@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
## Role allowed access.
##
##
-##
#
interface(`exim_admin',`
gen_require(`
@@ -285,10 +300,14 @@ interface(`exim_admin',`
type exim_keytab_t;
')
- allow $1 exim_t:process { ptrace signal_perms };
+ allow $1 exim_t:process signal_perms;
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 exim_t:process ptrace;
+ ')
+
+ exim_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
index 4086c51..28105d6 100644
--- a/exim.te
+++ b/exim.te
@@ -55,7 +55,7 @@ type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
corecmd_search_bin(exim_t)
-corenet_all_recvfrom_unlabeled(exim_t)
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
@@ -154,7 +153,6 @@ auth_use_nsswitch(exim_t)
logging_send_syslog_msg(exim_t)
-miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
@@ -170,9 +168,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
- corenet_sendrecv_oracledb_client_packets(exim_t)
- corenet_tcp_connect_oracledb_port(exim_t)
- corenet_tcp_sendrecv_oracledb_port(exim_t)
+ corenet_sendrecv_oracle_client_packets(exim_t)
+ corenet_tcp_connect_oracle_port(exim_t)
+ corenet_tcp_sendrecv_oracle_port(exim_t)
')
tunable_policy(`exim_read_user_files',`
@@ -186,8 +184,8 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
- clamav_domtrans_clamscan(exim_t)
- clamav_stream_connect(exim_t)
+ antivirus_domtrans(exim_t)
+ antivirus_stream_connect(exim_t)
')
optional_policy(`
@@ -210,11 +208,6 @@ optional_policy(`
')
optional_policy(`
- mailman_read_data_files(exim_t)
- mailman_domtrans(exim_t)
-')
-
-optional_policy(`
nagios_search_spool(exim_t)
')
@@ -236,6 +229,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
')
optional_policy(`
diff --git a/fail2ban.if b/fail2ban.if
index 50d0084..94e1936 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
-########################################
+#######################################
##
-## Execute the fail2ban client in
-## the fail2ban client domain.
+## Execute the fail2ban client in
+## the fail2ban client domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
#
interface(`fail2ban_domtrans_client',`
- gen_require(`
- type fail2ban_client_t, fail2ban_client_exec_t;
- ')
+ gen_require(`
+ type fail2ban_client_t, fail2ban_client_exec_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
')
-########################################
+#######################################
##
-## Execute fail2ban client in the
-## fail2ban client domain, and allow
-## the specified role the fail2ban
-## client domain.
+## Execute fail2ban client in the
+## fail2ban client domain, and allow
+## the specified role the fail2ban
+## client domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
#
interface(`fail2ban_run_client',`
- gen_require(`
- attribute_role fail2ban_client_roles;
- ')
+ gen_require(`
+ attribute_role fail2ban_client_roles;
+ ')
- fail2ban_domtrans_client($1)
- roleattribute $2 fail2ban_client_roles;
+ fail2ban_domtrans_client($1)
+ roleattribute $2 fail2ban_client_roles;
')
#####################################
##
-## Connect to fail2ban over a
-## unix domain stream socket.
+## Connect to fail2ban over a unix domain
+## stream socket.
##
##
##
@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
')
files_search_tmp($1)
- allow $1 fail2ban_tmp_t:file { read write };
+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
########################################
##
-## Do not audit attempts to use
-## fail2ban file descriptors.
+## Read and write to an fail2ba unix stream socket.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`fail2ban_dontaudit_use_fds',`
+interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
- dontaudit $1 fail2ban_t:fd use;
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
')
-########################################
+#######################################
##
-## Do not audit attempts to read and
-## write fail2ban unix stream sockets
+## Do not audit attempts to use
+## fail2ban file descriptors.
##
##
-##
-## Domain to not audit.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+interface(`fail2ban_dontaudit_use_fds',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ dontaudit $1 fail2ban_t:fd use;
')
-########################################
+#######################################
##
-## Read and write fail2ban unix
-## stream sockets.
+## Do not audit attempts to read and
+## write fail2ban unix stream sockets
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`fail2ban_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
########################################
@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
')
files_search_var_lib($1)
- allow $1 fail2ban_var_lib_t:file read_file_perms;
+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
########################################
##
-## Read fail2ban log files.
+## Allow the specified domain to read fail2ban's log files.
##
##
##
@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
')
logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file read_file_perms;
')
########################################
##
-## Append fail2ban log files.
+## Allow the specified domain to append
+## fail2ban log files.
##
##
##
@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
')
logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
')
########################################
##
-## Read fail2ban pid files.
+## Read fail2ban PID files.
##
##
##
@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an fail2ban environment.
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an fail2ban environment
##
##
##
@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the fail2ban domain.
##
##
##
#
interface(`fail2ban_admin',`
gen_require(`
- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
- type fail2ban_var_lib_t, fail2ban_client_t;
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+ type fail2ban_client_t;
')
- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, fail2ban_tmp_t)
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index cf0e567..91d4dfb 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
#
allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
+allow fail2ban_t self:process { setsched signal };
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
-corenet_all_recvfrom_unlabeled(fail2ban_t)
corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)
@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
@@ -94,22 +92,33 @@ auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
-miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
+sysnet_filetrans_named_content(fail2ban_t)
optional_policy(`
apache_read_log(fail2ban_t)
')
optional_policy(`
+ dbus_system_bus_client(fail2ban_t)
+ dbus_connect_system_bus(fail2ban_t)
+
+ optional_policy(`
+ firewalld_dbus_chat(fail2ban_t)
+ ')
+')
+
+optional_policy(`
ftp_read_log(fail2ban_t)
')
optional_policy(`
+ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
@@ -118,6 +127,10 @@ optional_policy(`
')
optional_policy(`
+ rpm_exec(fail2ban_t)
+')
+
+optional_policy(`
shorewall_domtrans(fail2ban_t)
')
@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
kernel_read_system_state(fail2ban_client_t)
corecmd_exec_bin(fail2ban_client_t)
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
domain_use_interactive_fds(fail2ban_client_t)
-files_read_etc_files(fail2ban_client_t)
-files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
+auth_use_nsswitch(fail2ban_client_t)
+
logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
-miscfiles_read_localization(fail2ban_client_t)
-
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
diff --git a/fcoe.te b/fcoe.te
index ce358fb..90e08d8 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
-allow fcoemon_t self:capability { dac_override kill net_admin };
+allow fcoemon_t self:capability { net_admin net_raw dac_override };
allow fcoemon_t self:fifo_file rw_fifo_file_perms;
allow fcoemon_t self:unix_stream_socket { accept listen };
allow fcoemon_t self:netlink_socket create_socket_perms;
allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+allow fcoemon_t self:packet_socket create_socket_perms;
+allow fcoemon_t self:udp_socket create_socket_perms;
manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
-files_read_etc_files(fcoemon_t)
-
-dev_read_sysfs(fcoemon_t)
+dev_rw_sysfs(fcoemon_t)
logging_send_syslog_msg(fcoemon_t)
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee..a47a12f 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
+++ b/fetchmail.if
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
+ ps_process_pattern($1, fetchmail_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fetchmail_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fetchmail_initrc_exec_t system_r;
allow $2 system_r;
- allow $1 fetchmail_t:process { ptrace signal_perms };
- ps_process_pattern($1, fetchmail_t)
-
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
index 742559a..a6c5c24 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,14 +32,17 @@ files_type(fetchmail_uidl_cache_t)
#
# Local policy
#
-
+allow fetchmail_t self:capability setuid;
dontaudit fetchmail_t self:capability sys_tty_config;
allow fetchmail_t self:process { signal_perms setrlimit };
allow fetchmail_t self:unix_stream_socket { accept listen };
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
corecmd_exec_bin(fetchmail_t)
corecmd_exec_shell(fetchmail_t)
-corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
-auth_use_nsswitch(fetchmail_t)
+auth_read_passwd(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
-miscfiles_read_localization(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
+sysnet_dns_name_resolve(fetchmail_t)
+
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+ mta_send_mail(fetchmail_t)
+')
+
+optional_policy(`
+ kerberos_use(fetchmail_t)
+')
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
index 35da09d..85f1e03 100644
--- a/finger.te
+++ b/finger.te
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-corenet_all_recvfrom_unlabeled(fingerd_t)
corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_generic_if(fingerd_t)
corenet_tcp_sendrecv_generic_node(fingerd_t)
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
domain_use_interactive_fds(fingerd_t)
files_read_etc_runtime_files(fingerd_t)
+files_search_home(fingerd_t)
fs_getattr_all_fs(fingerd_t)
fs_search_auto_mountpoints(fingerd_t)
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
term_getattr_all_ptys(fingerd_t)
auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
init_read_utmp(fingerd_t)
init_dontaudit_write_utmp(fingerd_t)
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
mta_getattr_spool(fingerd_t)
-miscfiles_read_localization(fingerd_t)
+sysnet_read_config(fingerd_t)
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
diff --git a/firewalld.fc b/firewalld.fc
index 21d7b84..0e272bd 100644
--- a/firewalld.fc
+++ b/firewalld.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
index c62c567..0fc685b 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
########################################
##
-## Read firewalld configuration files.
+## Read firewalld config
##
##
##
@@ -10,7 +10,7 @@
##
##
#
-interface(`firewalld_read_config_files',`
+interface(`firewalld_read_config',`
gen_require(`
type firewalld_etc_rw_t;
')
@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
########################################
##
+## Execute firewalld server in the firewalld domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`firewalld_initrc_domtrans',`
+ gen_require(`
+ type firewalld_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+##
+## Execute firewalld server in the firewalld domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`firewalld_systemctl',`
+ gen_require(`
+ type firewalld_t;
+ type firewalld_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 firewalld_unit_file_t:file read_file_perms;
+ allow $1 firewalld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, firewalld_t)
+')
+
+########################################
+##
## Send and receive messages from
## firewalld over dbus.
##
@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
########################################
##
-## Do not audit attempts to read, snd
-## write firewalld temporary files.
+## Dontaudit attempts to write
+## firewalld tmp files.
##
##
##
@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
##
##
#
-interface(`firewalld_dontaudit_rw_tmp_files',`
+interface(`firewalld_dontaudit_write_tmp_files',`
gen_require(`
type firewalld_tmp_t;
')
- dontaudit $1 firewalld_tmp_t:file { read write };
+ dontaudit $1 firewalld_tmp_t:file write;
')
########################################
##
-## All of the rules required to
-## administrate an firewalld environment.
+## All of the rules required to administrate
+## an firewalld environment
##
##
##
@@ -83,10 +124,14 @@ interface(`firewalld_admin',`
type firewalld_var_log_t;
')
- allow $1 firewalld_t:process { ptrace signal_perms };
+ allow $1 firewalld_t:process signal_perms;
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 firewalld_t:process ptrace;
+ ')
+
+ firewalld_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
- files_search_etc($1)
admin_pattern($1, firewall_etc_rw_t)
+
+ admin_pattern($1, firewalld_unit_file_t)
+ firewalld_systemctl($1)
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3..cbaf309 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
type firewalld_tmp_t;
files_tmp_file(firewalld_tmp_t)
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
type firewalld_var_run_t;
files_pid_file(firewalld_var_run_t)
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
########################################
#
# Local policy
@@ -37,6 +43,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -48,8 +55,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
+
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
@@ -63,20 +75,17 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
+files_dontaudit_access_check_tmp(firewalld_t)
files_dontaudit_list_tmp(firewalld_t)
fs_getattr_xattr_fs(firewalld_t)
+fs_dontaudit_all_access_check(firewalld_t)
-logging_send_syslog_msg(firewalld_t)
-
-miscfiles_read_localization(firewalld_t)
+auth_use_nsswitch(firewalld_t)
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
-sysnet_read_config(firewalld_t)
+sysnet_dns_name_resolve(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -95,6 +104,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_generic_data_home_dirs(firewalld_t)
+')
+
+optional_policy(`
iptables_domtrans(firewalld_t)
')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
+++ b/firewallgui.if
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
type firewallgui_t;
')
- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
')
diff --git a/firewallgui.te b/firewallgui.te
index 2094546..2481a97 100644
--- a/firewallgui.te
+++ b/firewallgui.te
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
dev_read_sysfs(firewallgui_t)
dev_read_urand(firewallgui_t)
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
files_list_kernel_modules(firewallgui_t)
-files_read_usr_files(firewallgui_t)
auth_use_nsswitch(firewallgui_t)
@@ -60,12 +62,13 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_gconf_home_content(firewallgui_t)
+ gnome_read_gconf_home_files(firewallgui_t)
')
optional_policy(`
iptables_domtrans(firewallgui_t)
iptables_initrc_domtrans(firewallgui_t)
+ iptables_systemctl(firewallgui_t)
')
optional_policy(`
diff --git a/firstboot.fc b/firstboot.fc
index 12c782c..ba614e4 100644
--- a/firstboot.fc
+++ b/firstboot.fc
@@ -1,5 +1,3 @@
-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
index 280f875..f3a67c9 100644
--- a/firstboot.if
+++ b/firstboot.if
@@ -1,4 +1,7 @@
-## Initial system configuration utility.
+##
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+##
########################################
##
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
type firstboot_t, firstboot_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
')
########################################
##
-## Execute firstboot in the firstboot
-## domain, and allow the specified role
-## the firstboot domain.
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
##
##
##
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
#
interface(`firstboot_run',`
gen_require(`
- attribute_role firstboot_roles;
+ type firstboot_t;
')
firstboot_domtrans($1)
- roleattribute $2 firstboot_roles;
+ role $2 types firstboot_t;
')
########################################
##
-## Inherit and use firstboot file descriptors.
+## Inherit and use a file descriptor from firstboot.
##
##
##
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
########################################
##
-## Do not audit attempts to inherit
-## firstboot file descriptors.
+## Do not audit attempts to inherit a
+## file descriptor from firstboot.
##
##
##
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
########################################
##
-## Write firstboot unnamed pipes.
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`firstboot_dontaudit_leaks',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:socket_class_set { read write };
+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Write to a firstboot unnamed pipe.
##
##
##
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
type firstboot_t;
')
+ allow $1 firstboot_t:fd use;
allow $1 firstboot_t:fifo_file write;
')
########################################
##
-## Read and Write firstboot unnamed pipes.
+## Read and Write to a firstboot unnamed pipe.
##
##
##
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
########################################
##
-## Do not audit attemps to read and
-## write firstboot unnamed pipes.
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
##
##
##
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
########################################
##
-## Do not audit attemps to read and
-## write firstboot unix domain
-## stream sockets.
+## Do not audit attemps to read and write to a firstboot
+## unix domain stream socket.
##
##
##
diff --git a/firstboot.te b/firstboot.te
index 5010f04..928215f 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
policy_module(firstboot, 1.13.0)
gen_require(`
- class passwd { passwd chfn chsh rootok };
+ class passwd { passwd chfn chsh rootok crontab };
')
########################################
@@ -9,17 +9,12 @@ gen_require(`
# Declarations
#
-attribute_role firstboot_roles;
-
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t, firstboot_exec_t)
domain_obj_id_change_exemption(firstboot_t)
domain_subj_id_change_exemption(firstboot_t)
-role firstboot_roles types firstboot_t;
-
-type firstboot_initrc_exec_t;
-init_script_file(firstboot_initrc_exec_t)
+role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t)
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd { rootok passwd chfn chsh };
allow firstboot_t firstboot_etc_t:file read_file_perms;
+files_manage_generic_tmp_dirs(firstboot_t)
+files_manage_generic_tmp_files(firstboot_t)
+
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-corecmd_exec_all_executables(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
dev_read_urand(firstboot_t)
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-files_create_boot_flag(firstboot_t)
-files_delete_boot_flag(firstboot_t)
-
selinux_get_fs_mount(firstboot_t)
selinux_validate_context(firstboot_t)
selinux_compute_access_vector(firstboot_t)
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
-miscfiles_read_localization(firstboot_t)
-
sysnet_dns_name_resolve(firstboot_t)
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
+
+# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
userdom_manage_user_home_content_symlinks(firstboot_t)
userdom_manage_user_home_content_pipes(firstboot_t)
userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(firstboot_t)
optional_policy(`
dbus_system_bus_client(firstboot_t)
@@ -102,20 +105,18 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(firstboot_t)
-')
-
-optional_policy(`
samba_rw_config(firstboot_t)
')
optional_policy(`
unconfined_domtrans(firstboot_t)
- unconfined_domain(firstboot_t)
+ # The big hammer
+ unconfined_domain_noaudit(firstboot_t)
')
optional_policy(`
- gnome_manage_generic_home_content(firstboot_t)
+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+ gnome_manage_config(firstboot_t)
')
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index 92a6479..989f63a 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
allow fprintd_t self:capability sys_nice;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
+dev_read_urand(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
-files_read_usr_files(fprintd_t)
-
fs_getattr_all_fs(fprintd_t)
auth_use_nsswitch(fprintd_t)
-miscfiles_read_localization(fprintd_t)
-
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
@@ -54,8 +52,13 @@ optional_policy(`
')
')
+
optional_policy(`
- policykit_domtrans_auth(fprintd_t)
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
+ policykit_domtrans_auth(fprintd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
diff --git a/freeipmi.fc b/freeipmi.fc
new file mode 100644
index 0000000..0942a2e
--- /dev/null
+++ b/freeipmi.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
+/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
+/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
+
+/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
+/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
+/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
+
+/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+
+/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
+
+
+/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
+/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
+/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
index 0000000..dc94853
--- /dev/null
+++ b/freeipmi.if
@@ -0,0 +1,71 @@
+## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification
+
+#####################################
+##
+## Creates types and rules for a basic
+## freeipmi init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`freeipmi_domain_template',`
+ gen_require(`
+ attribute freeipmi_domain, freeipmi_pid;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type freeipmi_$1_t, freeipmi_domain;
+ type freeipmi_$1_exec_t;
+ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
+ role system_r types freeipmi_$1_t;
+
+ type freeipmi_$1_unit_file_t;
+ systemd_unit_file(freeipmi_$1_unit_file_t)
+
+ type freeipmi_$1_var_run_t, freeipmi_pid;
+ files_pid_file(freeipmi_$1_var_run_t)
+
+ #############################
+ #
+ # Local policy
+ #
+
+ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
+
+ kernel_read_system_state(freeipmi_$1_t)
+
+ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
+ auth_use_nsswitch(freeipmi_$1_t)
+
+ logging_send_syslog_msg(freeipmi_$1_t)
+')
+
+####################################
+##
+## Connect to cluster domains over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`freeipmi_stream_connect',`
+ gen_require(`
+ attribute freeipmi_domain, freeipmi_pid;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
+')
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
index 0000000..43a12cb
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,70 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute freeipmi_domain;
+attribute freeipmi_pid;
+
+freeipmi_domain_template(ipmidetectd)
+freeipmi_domain_template(ipmiseld)
+freeipmi_domain_template(bmc_watchdog)
+
+type freeipmi_var_lib_t;
+files_type(freeipmi_var_lib_t)
+
+type freeipmi_var_cache_t;
+files_type(freeipmi_var_cache_t)
+
+########################################
+#
+# freeipmi_domain local policy
+#
+
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
+#
+# bmc-watchdog local policy
+#
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
+dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
+# ipmidetectd local policy
+#
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
+
+#######################################
+#
+# ipmiseld local policy
+#
+
+allow freeipmi_ipmiseld_t self:capability sys_rawio;
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 0000000..3cd9c38
--- /dev/null
+++ b/freqset.fc
@@ -0,0 +1 @@
+/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0)
diff --git a/freqset.if b/freqset.if
new file mode 100644
index 0000000..190ccc0
--- /dev/null
+++ b/freqset.if
@@ -0,0 +1,76 @@
+
+## policy for freqset
+
+########################################
+##
+## Execute TEMPLATE in the freqset domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`freqset_domtrans',`
+ gen_require(`
+ type freqset_t, freqset_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, freqset_exec_t, freqset_t)
+')
+
+########################################
+##
+## Execute freqset in the freqset domain, and
+## allow the specified role the freqset domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the freqset domain.
+##
+##
+#
+interface(`freqset_run',`
+ gen_require(`
+ type freqset_t;
+ attribute_role freqset_roles;
+ ')
+
+ freqset_domtrans($1)
+ roleattribute $2 freqset_roles;
+')
+
+########################################
+##
+## Role access for freqset
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`freqset_role',`
+ gen_require(`
+ type freqset_t;
+ attribute_role freqset_roles;
+ ')
+
+ roleattribute $1 freqset_roles;
+
+ freqset_domtrans($2)
+
+ ps_process_pattern($2, freqset_t)
+ allow $2 freqset_t:process { signull signal sigkill };
+')
diff --git a/freqset.te b/freqset.te
new file mode 100644
index 0000000..0d09fbd
--- /dev/null
+++ b/freqset.te
@@ -0,0 +1,34 @@
+policy_module(freqset, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role freqset_roles;
+roleattribute system_r freqset_roles;
+
+type freqset_t;
+type freqset_exec_t;
+application_domain(freqset_t, freqset_exec_t)
+
+role freqset_roles types freqset_t;
+
+########################################
+#
+# freqset local policy
+#
+allow freqset_t self:capability { setuid };
+
+allow freqset_t self:fifo_file manage_fifo_file_perms;
+allow freqset_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_rw_sysfs(freqset_t)
+
+domain_use_interactive_fds(freqset_t)
+
+files_read_etc_files(freqset_t)
+
+miscfiles_read_localization(freqset_t)
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c1..44f74e6 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
index 4498143..77bbcef 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,66 @@
## File transfer protocol service.
+######################################
+##
+## Execute a domain transition to run ftpd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_domtrans',`
+ gen_require(`
+ type ftpd_t, ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+##
+## Execute ftpd server in the ftpd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ftp_initrc_domtrans',`
+ gen_require(`
+ type ftpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+##
+## Execute ftpd server in the ftpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_systemctl',`
+ gen_require(`
+ type ftpd_unit_file_t;
+ type ftpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ftpd_t)
+')
+
#######################################
##
## Execute a dyntransition to run anon sftpd.
@@ -179,8 +240,11 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+ allow $1 ftpd_t:process signal_perms;
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -204,5 +268,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
+ ftp_systemctl($1)
+ admin_pattern($1, ftpd_unit_file_t)
+ allow $1 ftpd_unit_file_t:service all_service_perms;
+
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
index 36838c2..ab0eccc 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
## be labeled public_content_rw_t.
##
##
-gen_tunable(allow_ftpd_anon_write, false)
+gen_tunable(ftpd_anon_write, false)
##
##
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
## all files on the system, governed by DAC.
##
##
-gen_tunable(allow_ftpd_full_access, false)
+gen_tunable(ftpd_full_access, false)
##
##
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
+
+##
+##
+## Allow ftpd to use ntfs/fusefs volumes.
+##
+##
+gen_tunable(ftpd_use_fusefs, false)
##
##
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_use_nfs, false)
##
##
@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -206,14 +219,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
-kernel_search_network_state(ftpd_t)
+kernel_read_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +241,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+
domain_use_interactive_fds(ftpd_t)
-files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
@@ -250,7 +265,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
-miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
@@ -259,32 +273,49 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_cifs',`
+tunable_policy(`ftpd_use_cifs',`
fs_read_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
fs_manage_cifs_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+ fs_manage_fusefs_dirs(ftpd_t)
+ fs_manage_fusefs_files(ftpd_t)
+',`
+ fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
')
-tunable_policy(`allow_ftpd_full_access',`
+tunable_policy(`ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- files_manage_non_auth_files(ftpd_t)
+ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_passive_mode',`
+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftpd_use_passive_mode',`
@@ -304,22 +335,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
+ corenet_tcp_connect_oracle_port(ftpd_t)
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
allow ftpd_t self:capability { dac_override dac_read_search };
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
+ userdom_manage_all_user_home_type_dirs(ftpd_t)
+ userdom_manage_all_user_home_type_files(ftpd_t)
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
',`
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
@@ -363,9 +391,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
-
kerberos_read_keytab(ftpd_t)
- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
kerberos_use(ftpd_t)
')
@@ -416,21 +443,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
-files_read_etc_files(ftpdctl_t)
files_search_pids(ftpdctl_t)
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
########################################
#
# Anon sftpd local policy
#
-files_read_etc_files(anon_sftpd_t)
miscfiles_read_public_files(anon_sftpd_t)
@@ -443,23 +469,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
-files_read_etc_files(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ files_manage_non_security_dirs(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_home_files(sftpd_t)
+ ')
+')
+
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
tunable_policy(`sftpd_enable_homedirs',`
allow sftpd_t self:capability { dac_override dac_read_search };
userdom_manage_user_home_content_dirs(sftpd_t)
userdom_manage_user_home_content_files(sftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-',`
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
@@ -481,21 +518,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- files_manage_non_auth_files(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
+userdom_home_reader(sftpd_t)
+
tunable_policy(`sftpd_write_ssh_home',`
ssh_manage_home_files(sftpd_t)
')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/games.te b/games.te
index e5b15fb..220622e 100644
--- a/games.te
+++ b/games.te
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
logging_send_syslog_msg(games_srv_t)
-miscfiles_read_localization(games_srv_t)
-
userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
userdom_dontaudit_search_user_home_dirs(games_srv_t)
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
corecmd_exec_bin(games_t)
-corenet_all_recvfrom_unlabeled(games_t)
corenet_all_recvfrom_netlabel(games_t)
corenet_tcp_sendrecv_generic_if(games_t)
corenet_tcp_sendrecv_generic_node(games_t)
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
files_list_var(games_t)
files_search_var_lib(games_t)
files_dontaudit_search_var(games_t)
-files_read_etc_files(games_t)
-files_read_usr_files(games_t)
files_read_var_files(games_t)
init_dontaudit_rw_utmp(games_t)
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
sysnet_dns_name_resolve(games_t)
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
userdom_manage_user_tmp_sockets(games_t)
userdom_dontaudit_read_user_home_content_files(games_t)
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`', `
allow games_t self:process execmem;
')
diff --git a/gatekeeper.te b/gatekeeper.te
index 2820368..88c98f4 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
domain_use_interactive_fds(gatekeeper_t)
-files_read_etc_files(gatekeeper_t)
-
fs_getattr_all_fs(gatekeeper_t)
fs_search_auto_mountpoints(gatekeeper_t)
logging_send_syslog_msg(gatekeeper_t)
-miscfiles_read_localization(gatekeeper_t)
-
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gift.te b/gift.te
index 8a820fa..996b30c 100644
--- a/gift.te
+++ b/gift.te
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
userdom_dontaudit_read_user_home_content_files(gift_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gift_t)
- fs_manage_nfs_files(gift_t)
- fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gift_t)
- fs_manage_cifs_files(gift_t)
- fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
optional_policy(`
xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
corenet_tcp_connect_all_ports(giftd_t)
files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
sysnet_dns_name_resolve(giftd_t)
-userdom_use_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(giftd_t)
- fs_manage_nfs_files(giftd_t)
- fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(giftd_t)
- fs_manage_cifs_files(giftd_t)
- fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.if b/git.if
index 1e29af1..6c64f55 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
- allow $2 git_session_t:process { ptrace signal_perms };
+ allow $2 git_session_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 git_session_t:process ptrace;
+ ')
ps_process_pattern($2, git_session_t)
tunable_policy(`git_session_users',`
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
files_search_var_lib($1)
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
fs_read_nfs_files($1)
')
')
+
+#######################################
+##
+## Create Git user content with a
+## named file transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`git_filetrans_user_content',`
+ gen_require(`
+ type git_user_content_t;
+ ')
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index dc49c71..654dbc5 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
##
##
-## Determine whether Git session daemons
-## can send syslog messages.
-##
-##
-gen_tunable(git_session_send_syslog_msg, false)
-
-##
-##
## Determine whether Git system daemon
## can search home directories.
##
@@ -93,10 +85,10 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
-type git_sys_content_t;
+type git_sys_content_t alias git_system_content_t;
files_type(git_sys_content_t)
-type git_user_content_t;
+type git_user_content_t alias git_session_content_t;
userdom_user_home_content(git_user_content_t)
########################################
@@ -110,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
+kernel_read_system_state(git_session_t)
+
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
@@ -130,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
-tunable_policy(`git_session_send_syslog_msg',`
- logging_send_syslog_msg(git_session_t)
-')
+logging_send_syslog_msg(git_session_t)
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
@@ -158,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
@@ -176,6 +171,9 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -266,12 +264,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
-kernel_read_system_state(git_daemon)
+#kernel_read_system_state(git_daemon)
corecmd_exec_bin(git_daemon)
-files_read_usr_files(git_daemon)
-
fs_search_auto_mountpoints(git_daemon)
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
index 582db0a..d77a1a5 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
dev_read_urand(gitosis_t)
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
files_search_var_lib(gitosis_t)
-miscfiles_read_localization(gitosis_t)
-
sysnet_read_config(gitosis_t)
tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.if b/glance.if
index 9eacb2c..229782f 100644
--- a/glance.if
+++ b/glance.if
@@ -1,5 +1,30 @@
## OpenStack image registry and delivery service.
+#######################################
+##
+## Creates types and rules for a basic
+## glance daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`glance_basic_types_template',`
+ gen_require(`
+ attribute glance_domain;
+ ')
+
+ type $1_t, glance_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+')
+
########################################
##
## Execute a domain transition to
@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',`
## run glance api.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`glance_domtrans_api',`
@@ -242,8 +267,13 @@ interface(`glance_admin',`
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
- allow $1 { glance_api_t glance_registry_t }:process signal_perms;
- ps_process_pattern($1, { glance_api_t glance_registry_t })
+ allow $1 glance_registry_t:process signal_perms;
+ ps_process_pattern($1, glance_registry_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glance_registry_t:process ptrace;
+ allow $1 glance_api_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 5cd0909..337e872 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
attribute glance_domain;
-type glance_registry_t, glance_domain;
-type glance_registry_exec_t;
+glance_basic_types_template(glance_registry)
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
type glance_registry_initrc_exec_t;
@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
+type glance_registry_tmpfs_t;
+files_tmpfs_file(glance_registry_tmpfs_t)
+
+glance_basic_types_template(glance_api)
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
# Common local policy
#
+allow glance_domain self:process signal_perms;
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-kernel_read_system_state(glance_domain)
-
-corenet_all_recvfrom_unlabeled(glance_domain)
-corenet_all_recvfrom_netlabel(glance_domain)
corenet_tcp_sendrecv_generic_if(glance_domain)
corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
+corenet_tcp_connect_http_port(glance_domain)
corecmd_exec_bin(glance_domain)
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
+dev_read_sysfs(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
+auth_read_passwd(glance_domain)
libs_exec_ldconfig(glance_domain)
-miscfiles_read_localization(glance_domain)
-
sysnet_dns_name_resolve(glance_domain)
########################################
@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
logging_send_syslog_msg(glance_registry_t)
@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-
-corenet_sendrecv_hplip_server_packets(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_glance_port(glance_api_t)
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_mysqld_port(glance_api_t)
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
+
+optional_policy(`
+ mysql_stream_connect(glance_api_t)
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000..9614520
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,16 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000..1ed97fe
--- /dev/null
+++ b/glusterd.if
@@ -0,0 +1,150 @@
+
+## policy for glusterd
+
+
+########################################
+##
+## Transition to glusterd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`glusterd_domtrans',`
+ gen_require(`
+ type glusterd_t, glusterd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+##
+## Execute glusterd server in the glusterd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_initrc_domtrans',`
+ gen_require(`
+ type glusterd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+
+########################################
+##
+## Read glusterd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`glusterd_read_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+##
+## Append to glusterd log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_append_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+##
+## Manage glusterd log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_manage_log',`
+ gen_require(`
+ type glusterd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an glusterd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`glusterd_admin',`
+ gen_require(`
+ type glusterd_t;
+ type glusterd_initrc_exec_t;
+ type glusterd_log_t;
+ type glusterd_tmp_t;
+ type glusterd_conf_t;
+ ')
+
+ allow $1 glusterd_t:process { signal_perms };
+ ps_process_pattern($1, glusterd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glusterd_t:process ptrace;
+ ')
+
+ glusterd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 glusterd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, glusterd_log_t)
+
+ admin_pattern($1, glusterd_tmp_t)
+
+ admin_pattern($1, glusterd_conf_t)
+
+')
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 0000000..7b78047
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,199 @@
+policy_module(glusterfs, 1.1.2)
+
+##
+##
+## Allow glusterfsd to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+##
+##
+gen_tunable(gluster_anon_write, false)
+
+##
+##
+## Allow glusterfsd to share any file/directory read only.
+##
+##
+gen_tunable(gluster_export_all_ro, false)
+
+##
+##
+## Allow glusterfsd to share any file/directory read/write.
+##
+##
+gen_tunable(gluster_export_all_rw, true)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+kernel_read_network_state(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
+
+# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_mountd_port(glusterd_t)
+corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_mnt(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+
+mount_domtrans(glusterd_t)
+tunable_policy(`gluster_anon_write',`
+ miscfiles_manage_public_files(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_ro',`
+ fs_read_noxattr_fs_files(glusterd_t)
+ files_read_non_security_files(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_rw',`
+ fs_manage_noxattr_fs_files(glusterd_t)
+ files_manage_non_security_dirs(glusterd_t)
+ files_manage_non_security_files(glusterd_t)
+ files_relabel_base_file_types(glusterd_t)
+')
+
+optional_policy(`
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_kill_rpcd(glusterd_t)
+')
+
+optional_policy(`
+ rsync_exec(glusterd_t)
+')
+
+optional_policy(`
+ ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c8..0000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## Cluster File System binary, daemon and command line.
-
-########################################
-##
-## All of the rules required to
-## administrate an glusterfs environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`glusterd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
- glusterfs_admin($1, $2)
-')
-
-########################################
-##
-## All of the rules required to
-## administrate an glusterfs environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`glusterfs_admin',`
- gen_require(`
- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
- type glusterd_var_run_t;
- ')
-
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 glusterd_t:process { ptrace signal_perms };
- ps_process_pattern($1, glusterd_t)
-
- files_search_etc($1)
- admin_pattern($1, glusterd_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, glusterd_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, glusterd_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, glusterd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index 4e95c7e..0000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,105 +0,0 @@
-policy_module(glusterfs, 1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_read_all_domains_state(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index e39de43..4c8113b 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,15 +1,59 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d61..d2cd4bf 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,78 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
-########################################
+#######################################
##
-## Role access for gnome. (Deprecated)
+## Role access for gnome. (Deprecated)
##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
-##
-## User domain for the role.
-##
+##
+## User domain for the role.
+##
##
#
interface(`gnome_role',`
- refpolicywarn(`$0($*) has been deprecated')
+ refpolicywarn(`$0($*) has been deprecated')
+ ')
+
+######################################
+##
+## The role template for the gnome-keyring-daemon.
+##
+##
+##
+## The user prefix.
+##
+##
+##
+##
+## The user role.
+##
+##
+##
+##
+## The user domain associated with the role.
+##
+##
+#
+interface(`gnome_role_gkeyringd',`
+ refpolicywarn(`$0($*) has been deprecated')
')
-#######################################
+######################################
##
-## The role template for gnome.
+## The role template for gnome.
##
##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
##
##
-##
-## The role associated with the user domain.
-##
+##
+## The role associated with the user domain.
+##
##
##
-##
-## The type of the user domain.
-##
+##
+## The type of the user domain.
+##
##
#
template(`gnome_role_template',`
- gen_require(`
+ gen_require(`
attribute gnomedomain, gkeyringd_domain;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gnome_home_t;
+ type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
+ class dbus send_msg;
')
########################################
@@ -76,12 +102,12 @@ template(`gnome_role_template',`
allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
- allow $3 gconfd_t:process { ptrace signal_perms };
+ allow $3 gconfd_t:process { signal_perms };
+ allow $3 gconfd_t:unix_stream_socket connectto;
ps_process_pattern($3, gconfd_t)
+
########################################
#
# Gkeyringd policy
@@ -89,37 +115,85 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+ allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms };
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-
- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+ userdom_home_manager($1_gkeyringd_t)
- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+ kernel_read_system_state($1_gkeyringd_t)
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
- gnome_stream_connect_gkeyringd($1, $3)
+ gnome_stream_connect_gkeyringd($3)
+
+ ps_process_pattern($1_gkeyringd_t, $3)
+
+ auth_use_nsswitch($1_gkeyringd_t)
+
+ logging_send_syslog_msg($1_gkeyringd_t)
+
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
optional_policy(`
- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
')
')
')
+#######################################
+##
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
+##
+##
+##
+## The user prefix.
+##
+##
+##
+##
+## The user role.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_run_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
+ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+')
+
########################################
##
-## Execute gconf in the caller domain.
+## gconf connection template.
##
##
##
@@ -127,18 +201,18 @@ template(`gnome_role_template',`
##
##
#
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
gen_require(`
- type gconfd_exec_t;
+ type gconfd_t, gconf_tmp_t;
')
- corecmd_search_bin($1)
- can_exec($1, gconfd_exec_t)
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
##
-## Read gconf configuration content.
+## Connect to gkeyringd with a unix stream socket.
##
##
##
@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',`
##
##
#
-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
gen_require(`
- type gconf_etc_t;
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ type cache_home_t;
')
- files_search_etc($1)
- allow $1 gconf_etc_t:dir list_dir_perms;
- allow $1 gconf_etc_t:file read_file_perms;
- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ userdom_search_user_tmp_dirs($1)
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
')
########################################
##
-## Do not audit attempts to read
-## inherited gconf configuration files.
+## Run gconfd in gconfd domain.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
gen_require(`
- type gconf_etc_t;
+ type gconfd_t, gconfd_exec_t;
')
- dontaudit $1 gconf_etc_t:file read;
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
-#######################################
+########################################
##
-## Create, read, write, and delete
-## gconf configuration content.
+## Dontaudit read gnome homedir content (.config)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
gen_require(`
- type gconf_etc_t;
+ attribute gnome_home_type;
')
- files_search_etc($1)
- allow $1 gconf_etc_t:dir manage_dir_perms;
- allow $1 gconf_etc_t:file manage_file_perms;
- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
')
########################################
##
-## Connect to gconf using a unix
-## domain stream socket.
+## Dontaudit search gnome homedir content (.config)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ attribute gnome_home_type;
')
- files_search_tmp($1)
- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
')
########################################
##
-## Run gconfd in gconfd domain.
+## Dontaudit write gnome homedir content (.config)
##
##
##
-## Domain allowed to transition.
+## Domain to not audit.
##
##
#
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_append_config_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ attribute gnome_home_type;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ dontaudit $1 gnome_home_type:file append;
')
+
########################################
##
-## Create generic gnome home directories.
+## Dontaudit write gnome homedir content (.config)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- allow $1 gnome_home_t:dir create_dir_perms;
+ dontaudit $1 gnome_home_type:file write;
')
########################################
##
-## Set attributes of generic gnome
-## user home directories. (Deprecated)
+## manage gnome homedir content (.config)
##
##
##
@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
-interface(`gnome_setattr_config_dirs',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
- gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Set attributes of generic gnome
-## user home directories.
+## Send general signals to all gconf domains.
##
##
##
@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
gen_require(`
- type gnome_home_t;
+ attribute gnomedomain;
')
- userdom_search_user_home_dirs($1)
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 gnomedomain:process signal;
')
########################################
##
-## Read generic gnome user home content. (Deprecated)
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
#
-interface(`gnome_read_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
- gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Read generic gnome home content.
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
#
-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
')
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir list_dir_perms;
- allow $1 gnome_home_t:file read_file_perms;
- allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
- allow $1 gnome_home_t:sock_file read_sock_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## generic gnome user home content. (Deprecated)
+## Read generic cache home files (.cache)
##
##
##
@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
-interface(`gnome_manage_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
- gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ read_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Create, read, write, and delete
-## generic gnome home content.
+## Create generic cache home dir (.cache)
##
##
##
@@ -356,22 +466,18 @@ interface(`gnome_manage_config',`
##
##
#
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_create_generic_cache_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+ allow $1 cache_home_t:dir create_dir_perms;
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
')
########################################
##
-## Search generic gnome home directories.
+## Set attributes of cache home dir (.cache)
##
##
##
@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
-interface(`gnome_search_generic_home',`
+interface(`gnome_setattr_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir search_dir_perms;
')
########################################
##
-## Create objects in gnome user home
-## directories with a private type.
+## Manage cache home dir (.cache)
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Private file type.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`gnome_home_filetrans',`
+interface(`gnome_manage_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
')
########################################
##
-## Create generic gconf home directories.
+## append to generic cache home files (.cache)
##
##
##
@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',`
##
##
#
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_append_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- allow $1 gconf_home_t:dir create_dir_perms;
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Read generic gconf home content.
+## write to generic cache home files (.cache)
##
##
##
@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## generic gconf home content.
+## Manage a sock_file in the generic cache home files (.cache)
##
##
##
@@ -475,82 +561,73 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_sockets',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
##
-## Search generic gconf home directories.
+## Dontaudit read/write to generic cache home files (.cache)
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir search_dir_perms;
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
##
-## Create objects in user home
-## directories with the generic gconf
-## home type.
+## read gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_read_config',`
gen_require(`
- type gconf_home_t;
+ attribute gnome_home_type;
')
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+ gnome_read_usr_config($1)
')
########################################
##
-## Create objects in user home
-## directories with the generic gnome
-## home type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The type of the object to create.
+##
+##
##
##
-## Class of the object being created.
+## The class of the object to be created.
##
##
##
@@ -559,52 +636,77 @@ interface(`gnome_home_filetrans_gconf_home',`
##
##
#
-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_data_filetrans',`
gen_require(`
- type gnome_home_t;
+ type data_home_t;
')
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
-########################################
+#######################################
##
-## Create objects in gnome gconf home
-## directories with a private type.
+## Read generic data home files.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Private file type.
-##
-##
-##
-##
-## Class of the object being created.
-##
+#
+interface(`gnome_read_generic_data_home_files',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+######################################
+##
+## Read generic data home dirs.
+##
+##
+##
+## Domain allowed access.
+##
##
-##
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+##
+## Manage gconf data home files
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_manage_data',`
gen_require(`
+ type data_home_t;
type gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
########################################
##
-## Read generic gnome keyring home files.
+## Read icc data home content.
##
##
##
@@ -612,93 +714,86 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
- type gnome_home_t, gnome_keyring_home_t;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
##
-## Send and receive messages from
-## gnome keyring daemon over dbus.
+## Read inherited icc data home files.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
+ type icc_data_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
##
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Create gconf_home_t objects in the /root directory
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type gconf_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
##
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Do not audit attempts to read
+## inherited gconf config files.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
+## read gconf config files
##
##
##
@@ -706,12 +801,912 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_read_gconf_config',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+##
+## Manage gconf config files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+##
+## Execute gconf programs in
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+##
+## Execute gnome keyringd in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+##
+## Search gconf home data dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_gconf_data_dir',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+##
+## Search gkeyringd temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+##
+## List gkeyringd temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
+#######################################
+##
+## Delete gkeyringd temporary
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_delete_gkeyringd_tmp_content',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+#######################################
+##
+## Manage gkeyringd temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
+##
+## search gconf homedir (.local)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Set attributes of Gnome config dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+##
+## Manage generic gnome home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_home_files',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+##
+## Manage generic gnome home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+##
+## Append gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_append_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+##
+## manage gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+##
+## Connect to gnome over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+##
+## list gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_list_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Set attributes of gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## read gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+##
+## delete gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_delete_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+##
+## setattr gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## manage gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+##
+## delete gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_delete_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## manage gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+##
+## manage gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
+######################################
+##
+## Allow to execute gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ can_exec($1, gstreamer_home_t)
+')
+
+#######################################
+##
+## file name transition gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
+')
+
+#######################################
+##
+## manage gstreamer home content files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gstreamer_home_dirs',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+')
+
+########################################
+##
+## Read/Write all inherited gnome home config
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Dontaudit Read/Write all inherited gnome home config
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`gnome_dontaudit_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Send and receive messages from
+## gconf system service over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+ gen_require(`
+ type gconfdefaultsm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## gkeyringd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+##
+## Send signull signal to gkeyringd processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_signull_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+##
+## Allow the domain to read gkeyringd state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_gkeyringd_state',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+##
+## Create directories in user home directories
+## with the gnome home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_home_dir_filetrans',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+ userdom_search_user_home_dirs($1)
+')
+
+######################################
+##
+## Allow read kde config content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+##
+## Allow manage kde config content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+##
+## Execute gnome-keyring in the user gkeyring domain
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`gnome_transition_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process transition;
+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+ allow gkeyringd_domain $1:process { sigchld signull };
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Create gnome content in the user home directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type dbus_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type data_home_t, icc_data_home_t;
+ type gkeyringd_gnome_home_t;
+')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+
+ # ~/.color/icc: legacy
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
+########################################
+##
+## Create gnome dconf dir in the user home directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
+##
+## Create gnome directory in the /root directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type dbus_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type icc_data_home_t;
+')
+
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ gnome_filetrans_gstreamer_home_content($1)
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+#####################################
+##
+## Execute gnome-keyring executable
+## in the specified domain.
+##
+##
+##
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+## This interface was added to handle
+## the ssh-agent policy.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ allow $2 gkeyringd_exec_t:file entrypoint;
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
index 63893eb..d6f68a8 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
# Declarations
#
-attribute gkeyringd_domain;
attribute gnomedomain;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
attribute_role gconfd_roles;
type gconf_etc_t;
files_config_file(gconf_etc_t)
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type dbus_home_t, gnome_home_type;
+userdom_user_home_content(dbus_home_t)
+
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+# type KDE /usr/share/config files
+type config_usr_t;
+files_type(config_usr_t)
+
type gkeyringd_exec_t;
-application_executable_file(gkeyringd_exec_t)
+corecmd_executable_file(gkeyringd_exec_t)
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
+type gkeyringd_gnome_home_t, gnome_home_type;
+userdom_user_home_content(gkeyringd_gnome_home_t)
-type gnome_keyring_tmp_t;
-userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
##############################
#
-# Common local Policy
+# Local Policy
#
-allow gnomedomain self:process { getsched signal };
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
-dev_read_urand(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
-domain_use_interactive_fds(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-files_read_etc_files(gnomedomain)
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
-miscfiles_read_localization(gnomedomain)
-logging_send_syslog_msg(gnomedomain)
-userdom_use_user_terminals(gnomedomain)
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
+ nscd_dontaudit_search_pid(gconfd_t)
')
-##############################
+optional_policy(`
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
+')
+
+#######################################
#
-# Conf daemon local Policy
+# gconf-defaults-mechanisms local policy
#
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+corecmd_search_bin(gconfdefaultsm_t)
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+auth_read_passwd(gconfdefaultsm_t)
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
optional_policy(`
- nscd_dontaudit_search_pid(gconfd_t)
+ consolekit_dbus_chat(gconfdefaultsm_t)
')
-##############################
+optional_policy(`
+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(gconfdefaultsm_t)
+ policykit_dbus_chat(gconfdefaultsm_t)
+ policykit_read_lib(gconfdefaultsm_t)
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_admin sys_nice };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
+
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
+
+logging_send_syslog_msg(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+')
+
+optional_policy(`
+ gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomesystemmm_t)
+ policykit_domtrans_auth(gnomesystemmm_t)
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
+
+######################################
#
-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
#
allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+allow gkeyringd_domain data_home_t:dir create_dir_perms;
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+corecmd_search_bin(gkeyringd_domain)
+
dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
-files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
-fs_getattr_all_fs(gkeyringd_domain)
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
-selinux_getattr_fs(gkeyringd_domain)
+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
optional_policy(`
- ssh_read_user_home_files(gkeyringd_domain)
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
+ xserver_use_xdm_fds(gkeyringd_domain)
')
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_read_generic_cache_files(gkeyringd_domain)
+ gnome_write_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
index f9ba8cd..6906301 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
@@ -1,7 +1,10 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
@@ -2,8 +2,7 @@
########################################
##
-## Execute a domain transition to
-## run gnomeclock.
+## Execute a domain transition to run gnomeclock.
##
##
##
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
type gnomeclock_t, gnomeclock_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
')
########################################
##
-## Execute gnomeclock in the gnomeclock
-## domain, and allow the specified
-## role the gnomeclock domain.
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
##
##
##
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
#
interface(`gnomeclock_run',`
gen_require(`
- attribute_role gnomeclock_roles;
+ type gnomeclock_t;
')
gnomeclock_domtrans($1)
- roleattribute $2 gnomeclock_roles;
+ role $2 types gnomeclock_t;
')
########################################
@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
########################################
##
-## Do not audit attempts to send and
-## receive messages from gnomeclock
-## over dbus.
+## Do not audit send and receive messages from
+## gnomeclock over dbus.
##
##
##
diff --git a/gnomeclock.te b/gnomeclock.te
index 7cd7435..79bff0d 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
# Declarations
#
-attribute_role gnomeclock_roles;
-
type gnomeclock_t;
type gnomeclock_exec_t;
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
-role gnomeclock_roles types gnomeclock_t;
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+type gnomeclock_tmp_t;
+files_tmp_file(gnomeclock_tmp_t)
########################################
#
-# Local policy
+# gnomeclock local policy
#
-allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
kernel_read_system_state(gnomeclock_t)
corecmd_exec_bin(gnomeclock_t)
corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
-corenet_all_recvfrom_netlabel(gnomeclock_t)
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
-# tcp:37 (time)
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
-
-dev_read_sysfs(gnomeclock_t)
-dev_read_urand(gnomeclock_t)
dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
-files_read_usr_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
fs_getattr_xattr_fs(gnomeclock_t)
auth_use_nsswitch(gnomeclock_t)
+init_dbus_chat(gnomeclock_t)
+
+logging_stream_connect_syslog(gnomeclock_t)
logging_send_syslog_msg(gnomeclock_t)
-miscfiles_etc_filetrans_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-miscfiles_read_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
- chronyd_initrc_domtrans(gnomeclock_t)
+ chronyd_systemctl(gnomeclock_t)
')
optional_policy(`
+ clock_read_adjtime(gnomeclock_t)
clock_domtrans(gnomeclock_t)
')
optional_policy(`
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+ consolekit_dbus_chat(gnomeclock_t)
+')
- optional_policy(`
- consolekit_dbus_chat(gnomeclock_t)
- ')
+optional_policy(`
+ consoletype_exec(gnomeclock_t)
+')
- optional_policy(`
- policykit_dbus_chat(gnomeclock_t)
- ')
+optional_policy(`
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+')
+
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+ gnome_manage_home_config(gnomeclock_t)
+ gnome_filetrans_admin_home_content(gnomeclock_t)
')
optional_policy(`
ntp_domtrans_ntpdate(gnomeclock_t)
ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
+ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
')
optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
index 888cd2c..c02fa56 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,10 +1,14 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 180f1b7..3c8757e 100644
--- a/gpg.if
+++ b/gpg.if
@@ -2,57 +2,79 @@
############################################################
##
-## Role access for gpg.
+## Role access for gpg
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`gpg_role',`
gen_require(`
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
- type gpg_t, gpg_exec_t, gpg_agent_t;
- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
+ type gpg_pinentry_tmp_t;
')
- roleattribute $1 gpg_roles;
- roleattribute $1 gpg_agent_roles;
- roleattribute $1 gpg_helper_roles;
- roleattribute $1 gpg_pinentry_roles;
+ roleattribute $1 gpg_roles;
+ roleattribute $1 gpg_agent_roles;
+ roleattribute $1 gpg_helper_roles;
+ roleattribute $1 gpg_pinentry_roles;
+ # transition from the userdomain to the derived domain
domtrans_pattern($2, gpg_exec_t, gpg_t)
- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
- allow gpg_pinentry_t $2:process signull;
+ # communicate with the user
allow gpg_helper_t $2:fd use;
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+ allow gpg_helper_t $2:fifo_file write;
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2, gpg_agent_t)
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+ allow gpg_pinentry_t $2:fifo_file { read write };
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
+
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
')
########################################
##
-## Execute the gpg in the gpg domain.
+## Transition to a user gpg domain.
##
##
##
@@ -65,13 +87,12 @@ interface(`gpg_domtrans',`
type gpg_t, gpg_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
-########################################
+######################################
##
-## Execute the gpg in the caller domain.
+## Execute gpg in the caller domain.
##
##
##
@@ -88,76 +109,46 @@ interface(`gpg_exec',`
can_exec($1, gpg_exec_t)
')
-########################################
-##
-## Execute gpg in a specified domain.
-##
-##
-##
-## Execute gpg in a specified domain.
-##
-##
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-##
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Domain to transition to.
-##
-##
-#
-interface(`gpg_spec_domtrans',`
- gen_require(`
- type gpg_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, gpg_exec_t, $2)
-')
-
######################################
##
-## Execute gpg in the gpg web domain. (Deprecated)
+## Transition to a gpg web domain.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`gpg_domtrans_web',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type gpg_web_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
')
######################################
##
-## Make gpg executable files an
-## entrypoint for the specified domain.
+## Make gpg an entrypoint for
+## the specified domain.
##
##
-##
-## The domain for which gpg_exec_t is an entrypoint.
-##
+##
+## The domain for which cifs_t is an entrypoint.
+##
##
#
interface(`gpg_entry_type',`
- gen_require(`
- type gpg_exec_t;
- ')
+ gen_require(`
+ type gpg_exec_t;
+ ')
- domain_entry_file($1, gpg_exec_t)
+ domain_entry_file($1, gpg_exec_t)
')
########################################
##
-## Send generic signals to gpg.
+## Send generic signals to user gpg processes.
##
##
##
@@ -175,7 +166,7 @@ interface(`gpg_signal',`
########################################
##
-## Read and write gpg agent pipes.
+## Read and write GPG agent pipes.
##
##
##
@@ -184,6 +175,7 @@ interface(`gpg_signal',`
##
#
interface(`gpg_rw_agent_pipes',`
+ # Just wants read/write could this be a leak?
gen_require(`
type gpg_agent_t;
')
@@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',`
########################################
##
-## Send messages to and from gpg
-## pinentry over DBUS.
+## Send messages to and from GPG
+## Pinentry over DBUS.
##
##
##
@@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',`
########################################
##
-## List gpg user secrets.
+## List Gnu Privacy Guard user secrets.
##
##
##
@@ -230,3 +222,39 @@ interface(`gpg_list_user_secrets',`
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_search_user_home_dirs($1)
')
+###########################
+##
+## Allow to manage gpg named home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_manage_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
+ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+########################################
+##
+## Transition to gpg named home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_filetrans_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
index 0e97e82..0a158ad 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
#
# Declarations
#
-
-##
-##
-## Determine whether GPG agent can manage
-## generic user home content files. This is
-## required by the --write-env-file option.
-##
-##
-gen_tunable(gpg_agent_env_file, false)
+attribute gpgdomain;
attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -24,7 +16,23 @@ roleattribute system_r gpg_helper_roles;
attribute_role gpg_pinentry_roles;
-type gpg_t;
+##
+##
+## Allow usage of the gpg-agent --write-env-file option.
+## This also allows gpg-agent to manage user files.
+##
+##
+gen_tunable(gpg_agent_env_file, false)
+
+##
+##
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@@ -69,95 +77,100 @@ type gpg_pinentry_tmpfs_t;
userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
optional_policy(`
- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+ pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
')
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
########################################
#
-# Local policy
+# GPG local policy
#
-allow gpg_t self:capability { ipc_lock setuid };
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket { accept listen };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
+kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
-corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
-
-corenet_sendrecv_all_client_packets(gpg_t)
-corenet_tcp_connect_all_ports(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
-dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
-
-files_read_usr_files(gpg_t)
-files_dontaudit_search_var(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+dev_dontaudit_getattr_all(gpg_t)
fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
-auth_use_nsswitch(gpg_t)
+files_dontaudit_search_var(gpg_t)
-logging_send_syslog_msg(gpg_t)
+auth_use_nsswitch(gpg_t)
-miscfiles_read_localization(gpg_t)
+init_dontaudit_getattr_initctl(gpg_t)
-userdom_use_user_terminals(gpg_t)
+logging_send_syslog_msg(gpg_t)
-userdom_manage_user_tmp_files(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_manage_user_home_content_dirs(gpg_t)
+userdom_filetrans_home_content(gpg_t)
+userdom_stream_connect(gpg_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
-')
+mta_manage_config(gpg_t)
+mta_read_spool(gpg_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
-')
+userdom_home_manager(gpg_t)
optional_policy(`
- gnome_read_generic_home_content(gpg_t)
- gnome_stream_connect_all_gkeyringd(gpg_t)
+ gpm_dontaudit_getattr_gpmctl(gpg_t)
')
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_t)
+ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
optional_policy(`
- mta_read_spool_files(gpg_t)
- mta_write_config(gpg_t)
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
')
optional_policy(`
@@ -165,37 +178,51 @@ optional_policy(`
')
optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
-')
-
-optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
+
########################################
#
-# Helper local policy
+# GPG helper local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+dontaudit gpg_helper_t gpg_secret_t:file read;
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
-
-corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
+
auth_use_nsswitch(gpg_helper_t)
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -207,29 +234,36 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
-# Agent local policy
+# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process { setrlimit signal_perms };
-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
@@ -239,37 +273,41 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
+miscfiles_read_certs(gpg_agent_t)
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_filetrans_home_content(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')
tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_agent_t)
- fs_manage_nfs_files(gpg_agent_t)
- fs_manage_nfs_symlinks(gpg_agent_t)
-')
+userdom_home_manager(gpg_agent_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_agent_t)
- fs_manage_cifs_files(gpg_agent_t)
- fs_manage_cifs_symlinks(gpg_agent_t)
+optional_policy(`
+ gnome_manage_config(gpg_agent_t)
')
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
+optional_policy(`
+ pcscd_stream_connect(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
@@ -277,8 +315,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
-allow gpg_pinentry_t self:tcp_socket { accept listen };
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
@@ -287,53 +334,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
-can_exec(gpg_pinentry_t, pinentry_exec_t)
-
+# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_shell(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)
-domain_use_interactive_fds(gpg_pinentry_t)
-
-files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
-miscfiles_read_localization(gpg_pinentry_t)
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
-')
+userdom_home_reader(gpg_pinentry_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
+optional_policy(`
+ gnome_read_home_config(gpg_pinentry_t)
')
optional_policy(`
- dbus_all_session_bus_client(gpg_pinentry_t)
+ dbus_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ gnome_write_generic_cache_files(gpg_pinentry_t)
+ gnome_read_generic_cache_files(gpg_pinentry_t)
+ gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ pulseaudio_stream_connect(gpg_pinentry_t)
')
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/gpm.te b/gpm.te
index 69734fd..d99009a 100644
--- a/gpm.te
+++ b/gpm.te
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
init_script_file(gpm_initrc_exec_t)
type gpm_conf_t;
-files_type(gpm_conf_t)
+files_config_file(gpm_conf_t)
type gpm_tmp_t;
files_tmp_file(gpm_tmp_t)
@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)
-files_read_etc_files(gpm_t)
fs_getattr_all_fs(gpm_t)
fs_search_auto_mountpoints(gpm_t)
@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
logging_send_syslog_msg(gpm_t)
-miscfiles_read_localization(gpm_t)
-
-userdom_use_user_terminals(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
index fe3895e..a820546 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
allow gpsd_t self:tcp_socket { accept listen };
+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
+term_setattr_usb_ttys(gpsd_t)
auth_use_nsswitch(gpsd_t)
logging_send_syslog_msg(gpsd_t)
-miscfiles_read_localization(gpsd_t)
-
optional_policy(`
chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t)
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 0000000..f4659d1
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 0000000..3ce0ac0
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,198 @@
+
+## policy for gssproxy
+
+########################################
+##
+## Execute TEMPLATE in the gssproxy domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+##
+## Search gssproxy lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read gssproxy lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+##
+## Manage gssproxy lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+##
+## Manage gssproxy lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+##
+## Read gssproxy PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
+')
+
+########################################
+##
+## Execute gssproxy server in the gssproxy domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+##
+## Connect to gssproxy over an unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an gssproxy environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_var_run_t;
+ type gssproxy_unit_file_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_var_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_file_t)
+ allow $1 gssproxy_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 0000000..5044e7b
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,66 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_var_run_t;
+files_pid_file(gssproxy_var_run_t)
+
+type gssproxy_unit_file_t;
+systemd_unit_file(gssproxy_unit_file_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_use(gssproxy_t)
+ kerberos_filetrans_named_content(gssproxy_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(gssproxy, gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.te b/guest.te
index 19cdbe1..0605776 100644
--- a/guest.te
+++ b/guest.te
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
index e151378..04d173d 100644
--- a/hadoop.te
+++ b/hadoop.te
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
domain_use_interactive_fds(hadoop_t)
files_dontaudit_search_spool(hadoop_t)
-files_read_usr_files(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
corecmd_exec_bin(hadoop_initrc_domain)
corecmd_exec_shell(hadoop_initrc_domain)
-files_read_etc_files(hadoop_initrc_domain)
-files_read_usr_files(hadoop_initrc_domain)
files_search_locks(hadoop_initrc_domain)
files_search_pids(hadoop_initrc_domain)
@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
domain_use_interactive_fds(zookeeper_t)
-files_read_usr_files(zookeeper_t)
auth_use_nsswitch(zookeeper_t)
@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
dev_read_sysfs(zookeeper_server_t)
dev_read_urand(zookeeper_server_t)
-files_read_usr_files(zookeeper_server_t)
fs_getattr_xattr_fs(zookeeper_server_t)
diff --git a/hal.te b/hal.te
index bbccc79..6c6524a 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
# Common local policy
#
-files_read_usr_files(hald_domain)
miscfiles_read_localization(hald_domain)
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
-files_read_etc_files(hald_keymap_t)
logging_search_logs(hald_keymap_t)
diff --git a/hddtemp.if b/hddtemp.if
index 1728071..77e71ea 100644
--- a/hddtemp.if
+++ b/hddtemp.if
@@ -60,9 +60,13 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
- allow $1 hddtemp_t:process { ptrace signal_perms };
+ allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hddtemp_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
index 9e11b98..29065e6 100644
--- a/hddtemp.te
+++ b/hddtemp.te
@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
-corenet_all_recvfrom_unlabeled(hddtemp_t)
corenet_all_recvfrom_netlabel(hddtemp_t)
corenet_tcp_sendrecv_generic_if(hddtemp_t)
corenet_tcp_sendrecv_generic_node(hddtemp_t)
@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-files_search_etc(hddtemp_t)
-files_read_usr_files(hddtemp_t)
-
storage_raw_read_fixed_disk(hddtemp_t)
storage_raw_read_removable_device(hddtemp_t)
@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
-miscfiles_read_localization(hddtemp_t)
diff --git a/howl.te b/howl.te
index b9e60ec..0477728 100644
--- a/howl.te
+++ b/howl.te
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-corenet_all_recvfrom_unlabeled(howl_t)
corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_generic_if(howl_t)
corenet_udp_sendrecv_generic_if(howl_t)
@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
logging_send_syslog_msg(howl_t)
-miscfiles_read_localization(howl_t)
-
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
index b46130e..e2ae3b2 100644
--- a/hypervkvp.fc
+++ b/hypervkvp.fc
@@ -1,3 +1,10 @@
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+
+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
index 6517fad..17c3627 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
@@ -1,32 +1,111 @@
-## HyperV key value pair (KVP).
+
+## policy for hypervkvp
+
+########################################
+##
+## Execute TEMPLATE in the hypervkvp domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hypervkvp_domtrans',`
+ gen_require(`
+ type hypervkvp_t, hypervkvp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
+
+########################################
+##
+## Search hypervkvp lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hypervkvp_search_lib',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
########################################
##
-## All of the rules required to
-## administrate an hypervkvp environment.
+## Read hypervkvp lib files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`hypervkvp_read_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## hypervkvp lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hypervkvp_manage_lib_files',`
+ gen_require(`
+ type hypervkvp_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an hypervkvp environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`hypervkvp_admin',`
gen_require(`
- type hypervkvpd_t, hypervkvpd_initrc_exec_t;
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
+
+ allow $1 hypervkvp_t:process signal_perms;
+ ps_process_pattern($1, hypervkvp_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hypervkvp_t:process ptrace;
')
- allow $1 hypervkvpd_t:process { ptrace signal_perms };
- ps_process_pattern($1, hypervkvpd_t)
+ hypervkvp_manage_lib_files($1)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ hypervkvp_systemctl($1)
+ admin_pattern($1, hypervkvp_unit_file_t)
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
index 4eb7041..ddc67b0 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
@@ -5,24 +5,57 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
-type hypervkvpd_t;
-type hypervkvpd_exec_t;
-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+attribute hyperv_domain;
-type hypervkvpd_initrc_exec_t;
-init_script_file(hypervkvpd_initrc_exec_t)
+type hypervkvp_t, hyperv_domain;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
+
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
+type hypervkvp_unit_file_t;
+systemd_unit_file(hypervkvp_unit_file_t)
+
+type hypervkvp_var_lib_t;
+files_type(hypervkvp_var_lib_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_file_t;
+systemd_unit_file(hypervvssd_unit_file_t)
########################################
#
-# Local policy
+# hyperv domain local policy
#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+dev_read_sysfs(hyperv_domain)
+
+########################################
#
+# hypervkvp local policy
+#
+
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+logging_send_syslog_msg(hypervkvp_t)
-logging_send_syslog_msg(hypervkvpd_t)
+sysnet_dns_name_resolve(hypervkvp_t)
-miscfiles_read_localization(hypervkvpd_t)
+########################################
+#
+# hypervvssd local policy
+#
-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
index 369a056..65fde93 100644
--- a/i18n_input.te
+++ b/i18n_input.te
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_all_recvfrom_unlabeled(i18n_input_t)
corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_tcp_sendrecv_generic_node(i18n_input_t)
@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
fs_search_auto_mountpoints(i18n_input_t)
files_read_etc_runtime_files(i18n_input_t)
-files_read_usr_files(i18n_input_t)
auth_use_nsswitch(i18n_input_t)
@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t)
logging_send_syslog_msg(i18n_input_t)
-miscfiles_read_localization(i18n_input_t)
-
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_read_user_home_content_files(i18n_input_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(i18n_input_t)
- fs_read_nfs_symlinks(i18n_input_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(i18n_input_t)
- fs_read_cifs_symlinks(i18n_input_t)
-')
+userdom_home_reader(i18n_input_t)
optional_policy(`
canna_stream_connect(i18n_input_t)
diff --git a/icecast.if b/icecast.if
index 580b533..c267cea 100644
--- a/icecast.if
+++ b/icecast.if
@@ -176,6 +176,14 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
+ allow $1 icecast_t:process signal_perms;
+ ps_process_pattern($1, icecast_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 icecast_t:process ptrace;
+ ')
+
+ # Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
index a9e573a..d375214 100644
--- a/icecast.te
+++ b/icecast.te
@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
-domain_use_interactive_fds(icecast_t)
-
auth_use_nsswitch(icecast_t)
-miscfiles_read_localization(icecast_t)
-
tunable_policy(`icecast_use_any_tcp_ports',`
corenet_tcp_connect_all_ports(icecast_t)
corenet_sendrecv_all_client_packets(icecast_t)
diff --git a/ifplugd.if b/ifplugd.if
index 8999899..96909ae 100644
--- a/ifplugd.if
+++ b/ifplugd.if
@@ -119,7 +119,7 @@ interface(`ifplugd_admin',`
type ifplugd_initrc_exec_t;
')
- allow $1 ifplugd_t:process { ptrace signal_perms };
+ allow $1 ifplugd_t:process signal_perms;
ps_process_pattern($1, ifplugd_t)
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
index b0546b4..98d7326 100644
--- a/ifplugd.te
+++ b/ifplugd.te
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
type ifplugd_etc_t;
-files_type(ifplugd_etc_t)
+files_config_file(ifplugd_etc_t)
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t)
dev_read_sysfs(ifplugd_t)
domain_read_confined_domains_state(ifplugd_t)
-domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
logging_send_syslog_msg(ifplugd_t)
-miscfiles_read_localization(ifplugd_t)
-
netutils_domtrans(ifplugd_t)
sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
index 1eb24d8..b320d51 100644
--- a/imaze.te
+++ b/imaze.te
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
kernel_read_kernel_sysctls(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_all_recvfrom_unlabeled(imazesrv_t)
corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t)
logging_send_syslog_msg(imazesrv_t)
-miscfiles_read_localization(imazesrv_t)
-
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.if b/inetd.if
index fbb54e7..05c3777 100644
--- a/inetd.if
+++ b/inetd.if
@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
+ init_domain($1, $2)
+
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
')
########################################
diff --git a/inetd.te b/inetd.te
index c6450df..ea5acd7 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setuid setgid };
dontaudit inetd_t self:capability sys_tty_config;
-allow inetd_t self:process { setsched setexec setrlimit };
+allow inetd_t self:process { setsched setexec };
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_exec_shell(inetd_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
+corenet_tcp_bind_time_port(inetd_t)
+corenet_udp_bind_time_port(inetd_t)
+
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
-miscfiles_read_localization(inetd_t)
-
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -188,7 +192,7 @@ optional_policy(`
')
optional_policy(`
- tftp_read_config_files(inetd_t)
+ tftp_read_config(inetd_t)
')
optional_policy(`
@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
-miscfiles_read_localization(inetd_child_t)
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
optional_policy(`
unconfined_domain(inetd_child_t)
diff --git a/inn.if b/inn.if
index eb87f23..d3d32c3 100644
--- a/inn.if
+++ b/inn.if
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
+ files_search_etc($1)
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
')
########################################
##
+## Write innd inherited news library content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_write_inherited_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ allow $1 innd_var_lib_t:file write_inherited_file_perms;
+')
+
+########################################
+##
## Read innd news spool content.
##
##
@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
+ files_search_spool($1)
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
- type news_spool_t, innd_var_lib_t;
- type innd_var_run_t, innd_initrc_exec_t;
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
+ type innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process signal_perms;
+ ps_process_pattern($1, innd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 innd_t:process ptrace;
')
init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
index d39f0cc..cb277f0 100644
--- a/inn.te
+++ b/inn.te
@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
files_mountpoint(news_spool_t)
+files_spool_file(news_spool_t)
########################################
#
@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
-files_pid_filetrans(innd_t, innd_var_run_t, file)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_all_recvfrom_unlabeled(innd_t)
corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_generic_if(innd_t)
corenet_tcp_sendrecv_generic_node(innd_t)
@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t)
files_list_spool(innd_t)
files_read_etc_runtime_files(innd_t)
-files_read_usr_files(innd_t)
auth_use_nsswitch(innd_t)
logging_send_syslog_msg(innd_t)
-miscfiles_read_localization(innd_t)
-
seutil_dontaudit_search_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
mta_send_mail(innd_t)
diff --git a/iodine.fc b/iodine.fc
index ca07a87..6ea129c 100644
--- a/iodine.fc
+++ b/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
+/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0)
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
index a0bfbd0..47f7c75 100644
--- a/iodine.if
+++ b/iodine.if
@@ -2,6 +2,30 @@
########################################
##
+## Execute iodined server in the iodined domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`iodined_systemctl',`
+ gen_require(`
+ type iodined_t;
+ type iodined_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iodined_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an iodined environment
##
diff --git a/iodine.te b/iodine.te
index d443fee..475b7f4 100644
--- a/iodine.te
+++ b/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_unit_file_t;
+systemd_unit_file(iodined_unit_file_t)
+
########################################
#
# Local policy
@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
corecmd_exec_shell(iodined_t)
-files_read_etc_files(iodined_t)
logging_send_syslog_msg(iodined_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..9278f85
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,4 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
index 0000000..c6cf456
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,21 @@
+## Policy for IPA services.
+
+########################################
+##
+## Execute rtas_errd in the rtas_errd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ipa_domtrans_otpd',`
+ gen_require(`
+ type ipa_otpd_t, ipa_otpd_t_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
+')
+
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..02f7cfa
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,33 @@
+policy_module(ipa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute ipa_domain;
+
+type ipa_otpd_t, ipa_domain;
+type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
+
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
+########################################
+#
+# ipa_otpd local policy
+#
+
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
+corenet_tcp_connect_radius_port(ipa_otpd_t)
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_otpd_t)
+')
+
+optional_policy(`
+ kerberos_use(ipa_otpd_t)
+')
diff --git a/irc.fc b/irc.fc
index 48e7739..c3285c2 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,6 +1,6 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
diff --git a/irc.if b/irc.if
index ac00fb0..36ef2e5 100644
--- a/irc.if
+++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
attribute_role irc_roles;
type irc_t, irc_exec_t, irc_home_t;
type irc_tmp_t, irc_log_home_t;
+ type irssi_t, irssi_exec_t, irssi_home_t;
')
########################################
@@ -37,12 +38,42 @@ interface(`irc_role',`
domtrans_pattern($2, irc_exec_t, irc_t)
ps_process_pattern($2, irc_t)
- allow $2 irc_t:process { ptrace signal_perms };
-
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+ allow $2 irc_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 irc_t:process ptrace;
+ ')
+
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+ allow $2 irssi_t:process signal_perms;
+ ps_process_pattern($2, irssi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 irssi_t:process ptrace;
+ ')
+
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ irc_filetrans_home_content($2)
+')
+
+#######################################
+##
+## Transition to alsa named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`irc_filetrans_home_content',`
+ gen_require(`
+ type irc_home_t;
+ type irssi_home_t;
+ ')
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
index 2636503..7e29d1d 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
userdom_user_home_content(irc_home_t)
-type irc_log_home_t;
-userdom_user_home_content(irc_log_home_t)
-
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_tmp_file(irc_tmp_t)
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+##
+##
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+##
+##
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+role irc_roles types irssi_t;
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t alias irc_log_home_t;
+userdom_user_home_content(irssi_home_t)
########################################
#
@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
-
-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
+irc_filetrans_home_content(irc_t)
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
-files_read_usr_files(irc_t)
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
@@ -106,14 +120,16 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
-miscfiles_read_generic_certs(irc_t)
-miscfiles_read_localization(irc_t)
-
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
userdom_manage_user_home_content_dirs(irc_t)
userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+userdom_filetrans_home_content(irc_t)
+
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(irc_t)
+
+userdom_home_manager(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
allow irc_t self:tcp_socket { accept listen };
@@ -124,18 +140,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(irc_t)
- fs_manage_nfs_files(irc_t)
- fs_manage_nfs_symlinks(irc_t)
+optional_policy(`
+ nis_use_ypbind(irc_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(irc_t)
- fs_manage_cifs_files(irc_t)
- fs_manage_cifs_symlinks(irc_t)
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+irc_filetrans_home_content(irssi_t)
+userdom_search_user_home_dirs(irssi_t)
+
+kernel_read_system_state(irssi_t)
+
+corecmd_search_bin(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# tcp:7000 is often used for SSL irc
+corenet_tcp_connect_gatekeeper_port(irssi_t)
+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_tcp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+
+fs_search_auto_mountpoints(irssi_t)
+
+auth_use_nsswitch(irssi_t)
+
+
+userdom_use_inherited_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
+ corenet_tcp_connect_all_ports(irssi_t)
+ corenet_sendrecv_generic_server_packets(irssi_t)
+ corenet_sendrecv_all_client_packets(irssi_t)
')
+userdom_home_manager(irssi_t)
+
optional_policy(`
seutil_use_newrole_fds(irc_t)
')
diff --git a/ircd.if b/ircd.if
index ade9803..3620c9a 100644
--- a/ircd.if
+++ b/ircd.if
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
-
- logging_search_log($1)
+
+ logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
index efaf4b1..bd1a132 100644
--- a/ircd.te
+++ b/ircd.te
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_exec_bin(ircd_t)
-corenet_all_recvfrom_unlabeled(ircd_t)
corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_tcp_sendrecv_generic_node(ircd_t)
@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t)
logging_send_syslog_msg(ircd_t)
-miscfiles_read_localization(ircd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
userdom_dontaudit_search_user_home_dirs(ircd_t)
diff --git a/irqbalance.te b/irqbalance.te
index e1f302d..1e5418a 100644
--- a/irqbalance.te
+++ b/irqbalance.te
@@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
dev_read_sysfs(irqbalance_t)
-files_read_etc_files(irqbalance_t)
files_read_etc_runtime_files(irqbalance_t)
fs_getattr_all_fs(irqbalance_t)
@@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t)
logging_send_syslog_msg(irqbalance_t)
-miscfiles_read_localization(irqbalance_t)
-
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
diff --git a/iscsi.fc b/iscsi.fc
index 08b7560..417e630 100644
--- a/iscsi.fc
+++ b/iscsi.fc
@@ -1,19 +1,18 @@
-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
-
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
index 1a35420..2ea1241 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
########################################
##
## Create, read, write, and delete
+## iscsid lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`iscsi_manage_lock',`
+ gen_require(`
+ type iscsi_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
+ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
## iscsid sempaphores.
##
##
@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
########################################
##
-## All of the rules required to
-## administrate an iscsi environment.
+## Transition to iscsi named content
##
##
##
-## Domain allowed access.
+## Domain allowed access.
##
##
-##
+#
+interface(`iscsi_filetrans_named_content',`
+ gen_require(`
+ type iscsi_lock_t;
+ ')
+
+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+')
+
+
+########################################
+##
+## All of the rules required to
+## administrate an iscsi environment.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
- type iscsi_initrc_exec_t;
+ type iscsi_unit_file_t;
')
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ systemd_exec_systemctl($1)
+ allow $1 iscsi_unit_file_t:file manage_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
index ca020fa..775dd9f 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
-type iscsi_initrc_exec_t;
-init_script_file(iscsi_initrc_exec_t)
+type iscsi_unit_file_t;
+systemd_unit_file(iscsi_unit_file_t)
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t)
# Local policy
#
-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
can_exec(iscsid_t, iscsid_exec_t)
+kernel_request_load_module(iscsid_t)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
kernel_setsched(iscsid_t)
+kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
-dev_read_raw_memory(iscsid_t)
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
+dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+files_read_kernel_modules(iscsid_t)
+
auth_use_nsswitch(iscsid_t)
init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
diff --git a/isns.te b/isns.te
index bc11034..107ed2f 100644
--- a/isns.te
+++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
allow isnsd_t self:capability kill;
allow isnsd_t self:process signal;
allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen };
allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen };
@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
-files_read_etc_files(isnsd_t)
-
logging_send_syslog_msg(isnsd_t)
miscfiles_read_localization(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
index 59ad3b3..bd02cc8 100644
--- a/jabber.fc
+++ b/jabber.fc
@@ -1,25 +1,18 @@
-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
+# pyicq-t
-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
index 7eb3811..b52a6ae 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,29 +1,76 @@
-## Jabber instant messaging servers.
+## Jabber instant messaging server
+
+#####################################
+##
+## Creates types and rules for a basic
+## jabber init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`jabber_domain_template',`
+ gen_require(`
+ attribute jabberd_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, jabberd_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_netlabel($1_t)
+
+ logging_send_syslog_msg($1_t)
+')
#######################################
##
-## The template to define a jabber domain.
+## Execute a domain transition to run jabberd services
##
-##
+##
##
-## Domain prefix to be used.
+## Domain allowed to transition.
##
##
#
-template(`jabber_domain_template',`
+interface(`jabber_domtrans_jabberd',`
gen_require(`
- attribute jabberd_domain;
+ type jabberd_t, jabberd_exec_t;
')
- type $1_t, jabberd_domain;
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
')
-########################################
+######################################
##
-## Create, read, write, and delete
-## jabber lib files.
+## Execute a domain transition to run jabberd router service
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`jabber_domtrans_jabberd_router',`
+ gen_require(`
+ type jabberd_router_t, jabberd_router_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+##
+## Read jabberd lib files.
##
##
##
@@ -31,18 +78,37 @@ template(`jabber_domain_template',`
##
##
#
-interface(`jabber_manage_lib_files',`
+interface(`jabberd_read_lib_files',`
gen_require(`
type jabberd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
-########################################
+#######################################
+##
+## Dontaudit inherited read jabberd lib files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
##
-## Connect to jabber over a TCP socket (Deprecated)
+## Create, read, write, and delete
+## jabberd lib files.
##
##
##
@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',`
##
##
#
-interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
########################################
##
-## All of the rules required to
-## administrate an jabber environment.
+## All of the rules required to administrate
+## an jabber environment
##
##
##
@@ -66,20 +137,26 @@ interface(`jabber_tcp_connect',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the jabber domain.
##
##
##
#
interface(`jabber_admin',`
gen_require(`
- attribute jabberd_domain;
- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
+ type jabberd_t, jabberd_var_lib_t;
+ type jabberd_initrc_exec_t, jabberd_router_t;
')
- allow $1 jabberd_domain:process { ptrace signal_perms };
- ps_process_pattern($1, jabberd_domain)
+ allow $1 jabberd_t:process signal_perms;
+ ps_process_pattern($1, jabberd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 jabberd_t:process ptrace;
+ allow $1 jabberd_router_t:process ptrace;
+ ')
+
+ allow $1 jabberd_router_t:process signal_perms;
+ ps_process_pattern($1, jabberd_router_t)
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -97,7 +174,4 @@ interface(`jabber_admin',`
files_search_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
index af67c36..aa88a0a 100644
--- a/jabber.te
+++ b/jabber.te
@@ -9,129 +9,133 @@ attribute jabberd_domain;
jabber_domain_template(jabberd)
jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
-type jabberd_lock_t;
-files_lock_file(jabberd_lock_t)
-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
-type jabberd_spool_t;
-files_type(jabberd_spool_t)
-
+# type which includes log/pid files pro jabberd components
type jabberd_var_lib_t;
files_type(jabberd_var_lib_t)
-type jabberd_var_run_t;
-files_pid_file(jabberd_var_run_t)
+# pyicq-t types
+type pyicqt_log_t;
+logging_log_file(pyicqt_log_t);
-########################################
-#
-# Common local policy
-#
+type pyicqt_var_spool_t;
+files_spool_file(pyicqt_var_spool_t)
-allow jabberd_domain self:process signal_perms;
-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
-allow jabberd_domain self:tcp_socket { accept listen };
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
-kernel_read_system_state(jabberd_domain)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-corenet_all_recvfrom_unlabeled(jabberd_domain)
-corenet_all_recvfrom_netlabel(jabberd_domain)
-corenet_tcp_sendrecv_generic_if(jabberd_domain)
-corenet_tcp_sendrecv_generic_node(jabberd_domain)
-corenet_tcp_bind_generic_node(jabberd_domain)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-dev_read_urand(jabberd_domain)
-dev_read_sysfs(jabberd_domain)
+kernel_read_network_state(jabberd_router_t)
-fs_getattr_all_fs(jabberd_domain)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-logging_send_syslog_msg(jabberd_domain)
+fs_getattr_all_fs(jabberd_router_t)
-miscfiles_read_localization(jabberd_domain)
+miscfiles_read_generic_certs(jabberd_router_t)
optional_policy(`
- nis_use_ypbind(jabberd_domain)
+ kerberos_use(jabberd_router_t)
')
optional_policy(`
- seutil_sigchld_newrole(jabberd_domain)
+ nis_use_ypbind(jabberd_router_t)
')
-########################################
+#####################################
#
-# Local policy
+# Local policy for other jabberd components
#
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:tcp_socket create_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
+miscfiles_read_certs(jabberd_t)
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
-kernel_read_kernel_sysctls(jabberd_t)
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+######################################
+#
+# Local policy for pyicq-t
+#
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-dev_read_rand(jabberd_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-domain_use_interactive_fds(jabberd_t)
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
-fs_search_auto_mountpoints(jabberd_t)
+corecmd_exec_bin(pyicqt_t)
-sysnet_read_config(jabberd_t)
+dev_read_urand(pyicqt_t)
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
+auth_use_nsswitch(pyicqt_t)
+# needed for pyicq-t-mysql
optional_policy(`
- udev_read_db(jabberd_t)
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
-########################################
+optional_policy(`
+ sysnet_use_ldap(pyicqt_t)
+')
+
+#######################################
#
-# Router local policy
+# Local policy for jabberd domains
#
-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
-kernel_read_network_state(jabberd_router_t)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
+dev_read_sysfs(jabberd_domain)
+dev_read_urand(jabberd_domain)
-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
+files_read_etc_runtime_files(jabberd_domain)
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
index a7ae153..6341e31 100644
--- a/java.te
+++ b/java.te
@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
## its stack executable.
##
##
-gen_tunable(allow_java_execstack, false)
+gen_tunable(java_execstack, false)
attribute java_domain;
@@ -90,7 +90,6 @@ dev_read_urand(java_domain)
dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
-files_read_usr_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain)
userdom_manage_user_home_content_symlinks(java_domain)
userdom_manage_user_home_content_pipes(java_domain)
userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+userdom_filetrans_home_content(java_domain_t)
userdom_write_user_tmp_sockets(java_domain)
-tunable_policy(`allow_java_execstack',`
+tunable_policy(`java_execstack',`
allow java_domain self:process { execmem execstack };
libs_legacy_use_shared_libs(java_domain)
diff --git a/jetty.fc b/jetty.fc
new file mode 100644
index 0000000..1725b7e
--- /dev/null
+++ b/jetty.fc
@@ -0,0 +1,9 @@
+
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
+
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
+
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
+
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
+
diff --git a/jetty.if b/jetty.if
new file mode 100644
index 0000000..2abc285
--- /dev/null
+++ b/jetty.if
@@ -0,0 +1,268 @@
+
+## policy for jetty
+
+########################################
+##
+## Search jetty cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_search_cache',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ allow $1 jetty_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read jetty cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_read_cache_files',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## jetty cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_cache_files',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+##
+## Manage jetty cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_cache_dirs',`
+ gen_require(`
+ type jetty_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+##
+## Read jetty's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`jetty_read_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+##
+## Append to jetty log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_append_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+##
+## Manage jetty log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_log',`
+ gen_require(`
+ type jetty_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
+ manage_files_pattern($1, jetty_log_t, jetty_log_t)
+ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+##
+## Search jetty lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_search_lib',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ allow $1 jetty_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read jetty lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_read_lib_files',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+##
+## Manage jetty lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_lib_files',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+##
+## Manage jetty lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_manage_lib_dirs',`
+ gen_require(`
+ type jetty_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+##
+## Read jetty PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jetty_read_pid_files',`
+ gen_require(`
+ type jetty_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 jetty_var_run_t:file read_file_perms;
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an jetty environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`jetty_admin',`
+ gen_require(`
+ type jetty_cache_t;
+ type jetty_log_t;
+ type jetty_var_lib_t;
+ type jetty_var_run_t;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, jetty_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jetty_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, jetty_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, jetty_var_run_t)
+')
diff --git a/jetty.te b/jetty.te
new file mode 100644
index 0000000..af510ea
--- /dev/null
+++ b/jetty.te
@@ -0,0 +1,25 @@
+policy_module(jetty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type jetty_cache_t;
+files_type(jetty_cache_t)
+
+type jetty_log_t;
+logging_log_file(jetty_log_t)
+
+type jetty_var_lib_t;
+files_type(jetty_var_lib_t)
+
+type jetty_var_run_t;
+files_pid_file(jetty_var_run_t)
+
+########################################
+#
+# jetty local policy
+#
+
+# No local policy. This module just contains type definitions
diff --git a/jockey.if b/jockey.if
index 2fb7a20..c6ba007 100644
--- a/jockey.if
+++ b/jockey.if
@@ -1 +1,131 @@
-## Jockey driver manager.
+
+## policy for jockey
+
+########################################
+##
+## Transition to jockey.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`jockey_domtrans',`
+ gen_require(`
+ type jockey_t, jockey_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, jockey_exec_t, jockey_t)
+')
+
+########################################
+##
+## Search jockey cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_search_cache',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ allow $1 jockey_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read jockey cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_read_cache_files',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## jockey cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_manage_cache_files',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+##
+## Manage jockey cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_manage_cache_dirs',`
+ gen_require(`
+ type jockey_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an jockey environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jockey_admin',`
+ gen_require(`
+ type jockey_t;
+ type jockey_cache_t;
+ type jockey_var_log_t;
+ ')
+
+ allow $1 jockey_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jockey_t)
+
+ files_search_var($1)
+ admin_pattern($1, jockey_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jockey_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/jockey.te b/jockey.te
index d59ec10..dec1b3b 100644
--- a/jockey.te
+++ b/jockey.te
@@ -44,16 +44,19 @@ dev_read_urand(jockey_t)
domain_use_interactive_fds(jockey_t)
-files_read_etc_files(jockey_t)
-files_read_usr_files(jockey_t)
-miscfiles_read_localization(jockey_t)
+auth_read_passwd(jockey_t)
optional_policy(`
dbus_system_domain(jockey_t, jockey_exec_t)
')
optional_policy(`
+ gnome_dontaudit_search_config(jockey_t)
+')
+
+optional_policy(`
modutils_domtrans_insmod(jockey_t)
modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
')
diff --git a/journalctl.fc b/journalctl.fc
new file mode 100644
index 0000000..f270652
--- /dev/null
+++ b/journalctl.fc
@@ -0,0 +1 @@
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
diff --git a/journalctl.if b/journalctl.if
new file mode 100644
index 0000000..9d32f23
--- /dev/null
+++ b/journalctl.if
@@ -0,0 +1,76 @@
+
+## policy for journalctl
+
+########################################
+##
+## Execute TEMPLATE in the journalctl domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`journalctl_domtrans',`
+ gen_require(`
+ type journalctl_t, journalctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
+########################################
+##
+## Execute journalctl in the journalctl domain, and
+## allow the specified role the journalctl domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the journalctl domain.
+##
+##
+#
+interface(`journalctl_run',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ journalctl_domtrans($1)
+ roleattribute $2 journalctl_roles;
+')
+
+########################################
+##
+## Role access for journalctl
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`journalctl_role',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ roleattribute $1 journalctl_roles;
+
+ journalctl_domtrans($2)
+
+ ps_process_pattern($2, journalctl_t)
+ allow $2 journalctl_t:process { signull signal sigkill };
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
index 0000000..5de3229
--- /dev/null
+++ b/journalctl.te
@@ -0,0 +1,44 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role journalctl_roles;
+roleattribute system_r journalctl_roles;
+
+type journalctl_t;
+type journalctl_exec_t;
+application_domain(journalctl_t, journalctl_exec_t)
+
+role journalctl_roles types journalctl_t;
+
+########################################
+#
+# journalctl local policy
+#
+allow journalctl_t self:process { fork signal_perms };
+
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(journalctl_t)
+
+corecmd_exec_bin(journalctl_t)
+
+domain_use_interactive_fds(journalctl_t)
+
+files_read_etc_files(journalctl_t)
+
+fs_getattr_all_fs(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
+userdom_write_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_tmpfs_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+logging_read_generic_logs(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 0000000..25e4b68
--- /dev/null
+++ b/kde.fc
@@ -0,0 +1 @@
+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
diff --git a/kde.if b/kde.if
new file mode 100644
index 0000000..cf65577
--- /dev/null
+++ b/kde.if
@@ -0,0 +1,22 @@
+## Policy for KDE components
+
+#######################################
+##
+## Send and receive messages from
+## firewallgui over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kde_dbus_chat_backlighthelper',`
+ gen_require(`
+ type kdebacklighthelper_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdebacklighthelper_t:dbus send_msg;
+ allow kdebacklighthelper_t $1:dbus send_msg;
+')
diff --git a/kde.te b/kde.te
new file mode 100644
index 0000000..dbe3f03
--- /dev/null
+++ b/kde.te
@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
+# backlighthelper local policy
+#
+
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
+
+# r/w brightness values
+dev_rw_sysfs(kdebacklighthelper_t)
+
+files_read_etc_runtime_files(kdebacklighthelper_t)
+
+fs_getattr_all_fs(kdebacklighthelper_t)
+
+logging_send_syslog_msg(kdebacklighthelper_t)
+
+optional_policy(`
+ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(kdebacklighthelper_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdebacklighthelper_t)
+')
+
diff --git a/kdump.fc b/kdump.fc
index a49ae4e..0c0e987 100644
--- a/kdump.fc
+++ b/kdump.fc
@@ -1,13 +1,16 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
index 3a00b3a..21efcc4 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
-## Kernel crash dumping mechanism.
+## Kernel crash dumping mechanism
######################################
##
@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
domtrans_pattern($1, kdump_exec_t, kdump_t)
')
+######################################
+##
+## Execute kdumpctl in the kdumpctl domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kdumpctl_domtrans',`
+ gen_require(`
+ type kdumpctl_t, kdumpctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
+')
+
+
#######################################
##
## Execute kdump in the kdump domain.
@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
+########################################
+##
+## Execute kdump server in the kdump domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kdump_systemctl',`
+ gen_require(`
+ type kdump_unit_file_t;
+ type kdump_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 kdump_unit_file_t:file read_file_perms;
+ allow $1 kdump_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, kdump_t)
+')
+
#####################################
##
-## Read kdump configuration files.
+## Read kdump configuration file.
##
##
##
@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+##
+## Read kdump crash files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_read_crash',`
+ gen_require(`
+ type kdump_crash_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+##
+## Read kdump crash files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_manage_crash',`
+ gen_require(`
+ type kdump_crash_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+##
+## Dontaudit read kdump configuration file.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kdump_dontaudit_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
+')
+
####################################
##
-## Create, read, write, and delete
-## kdmup configuration files.
+## Manage kdump configuration file.
##
##
##
@@ -76,10 +177,69 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
+#####################################
+##
+## Read and write kdump lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_rw_lock',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_search_locks($1)
+ rw_files_pattern($1, kdump_lock_t, kdump_lock_t)
+')
+
+###################################
+##
+## Manage kdump /var/tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_manage_kdumpctl_tmp_files',`
+ gen_require(`
+ type kdumpctl_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+')
+
+#######################################
+##
+## Transition content labels to kdump named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_filetrans_named_content',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_lock_filetrans($1, kdump_lock_t, file, "kdump")
+')
+
######################################
##
-## All of the rules required to
-## administrate an kdump environment.
+## All of the rules required to administrate
+## an kdump environment
##
##
##
@@ -88,19 +248,24 @@ interface(`kdump_manage_config',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the kdump domain.
##
##
##
#
interface(`kdump_admin',`
gen_require(`
- type kdump_t, kdump_etc_t, kdumpctl_tmp_t;
- type kdump_initrc_exec_t, kdumpctl_t;
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
+ type kdump_crash_t;
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { kdump_t kdumpctl_t })
+ allow $1 kdump_t:process signal_perms;
+ ps_process_pattern($1, kdump_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kdump_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
@@ -110,6 +275,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
- files_search_tmp($1)
- admin_pattern($1, kdumpctl_tmp_t)
+ files_search_var($1)
+ admin_pattern($1, kdump_crash_t)
+
+ kdump_systemctl($1)
+ admin_pattern($1, kdump_unit_file_t)
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
index 715fc21..f6a381c 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
+type kdump_crash_t;
+files_type(kdump_crash_t)
+
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t alias kdumpctl_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
+type kdump_lock_t;
+files_lock_file(kdump_lock_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
-application_executable_file(kdumpctl_exec_t)
+init_initrc_domain(kdumpctl_t)
type kdumpctl_tmp_t;
files_tmp_file(kdumpctl_tmp_t)
#####################################
#
-# Local policy
+# kdump local policy
#
allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability2 compromise_kernel;
+
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-allow kdump_t kdump_etc_t:file read_file_perms;
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file })
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
+kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
kernel_read_debugfs(kdump_t)
-kernel_read_system_state(kdump_t)
kernel_request_load_module(kdump_t)
+mls_file_read_all_levels(kdump_t)
+
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
@@ -48,22 +68,32 @@ term_use_console(kdump_t)
#######################################
#
-# Ctl local policy
+# kdumpctl local policy
#
+#cjp:almost all rules are needed by dracut
+
+kdump_domtrans(kdumpctl_t)
+
allow kdumpctl_t self:capability { dac_override sys_chroot };
allow kdumpctl_t self:process setfscreate;
-allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
+
+manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
kernel_read_system_state(kdumpctl_t)
@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
+# dracut
dev_manage_all_dev_nodes(kdumpctl_t)
domain_use_interactive_fds(kdumpctl_t)
files_create_kernel_img(kdumpctl_t)
-files_read_etc_files(kdumpctl_t)
files_read_etc_runtime_files(kdumpctl_t)
-files_read_usr_files(kdumpctl_t)
files_read_kernel_modules(kdumpctl_t)
files_getattr_all_dirs(kdumpctl_t)
+files_delete_kernel(kdumpctl_t)
fs_getattr_all_fs(kdumpctl_t)
fs_search_all(kdumpctl_t)
-init_domtrans_script(kdumpctl_t)
+application_executable_ioctl(kdumpctl_t)
+
+auth_read_passwd(kdumpctl_t)
+
init_exec(kdumpctl_t)
+systemd_exec_systemctl(kdumpctl_t)
+systemd_read_unit_files(kdumpctl_t)
libs_exec_ld_so(kdumpctl_t)
logging_send_syslog_msg(kdumpctl_t)
+# Need log file from /var/log/dracut.log
+logging_write_generic_logs(kdumpctl_t)
-miscfiles_read_localization(kdumpctl_t)
+optional_policy(`
+ gpg_exec(kdumpctl_t)
+')
optional_policy(`
- gpg_exec(kdumpctl_t)
+ lvm_read_config(kdumpctl_t)
')
optional_policy(`
- lvm_read_config(kdumpctl_t)
+ modutils_domtrans_insmod(kdumpctl_t)
+ modutils_list_module_config(kdumpctl_t)
+ modutils_read_module_config(kdumpctl_t)
')
optional_policy(`
- modutils_domtrans_insmod(kdumpctl_t)
- modutils_read_module_config(kdumpctl_t)
+ plymouthd_domtrans_plymouth(kdumpctl_t)
')
optional_policy(`
- plymouthd_domtrans_plymouth(kdumpctl_t)
+ ssh_exec(kdumpctl_t)
')
optional_policy(`
- ssh_exec(kdumpctl_t)
+ unconfined_domain(kdumpctl_t)
')
diff --git a/kdumpgui.if b/kdumpgui.if
index 182ab8b..8b1d9c2 100644
--- a/kdumpgui.if
+++ b/kdumpgui.if
@@ -1 +1,23 @@
-## System-config-kdump GUI.
+## system-config-kdump GUI
+
+########################################
+##
+## Send and receive messages from
+## kdumpgui over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdumpgui_dbus_chat',`
+ gen_require(`
+ type kdumpgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdumpgui_t:dbus send_msg;
+ allow kdumpgui_t $1:dbus send_msg;
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
index 2990962..c153d15 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0)
# Declarations
#
+##
+##
+## Allow s-c-kdump to run bootloader in bootloader_t.
+##
+##
+gen_tunable(kdumpgui_run_bootloader, false)
+
type kdumpgui_t;
type kdumpgui_exec_t;
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
type kdumpgui_tmp_t;
files_tmp_file(kdumpgui_tmp_t)
######################################
#
-# Local policy
+# system-config-kdump local policy
#
allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
-allow kdumpgui_t self:process { setsched sigkill };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdumpgui_t self:process { setsched sigkill };
manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
-kernel_getattr_core_if(kdumpgui_t)
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
+kernel_getattr_core_if(kdumpgui_t)
corecmd_exec_bin(kdumpgui_t)
corecmd_exec_shell(kdumpgui_t)
-dev_getattr_all_blk_files(kdumpgui_t)
dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t)
+dev_getattr_all_blk_files(kdumpgui_t)
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-files_read_usr_files(kdumpgui_t)
+fs_manage_dos_files(kdumpgui_t)
fs_getattr_all_fs(kdumpgui_t)
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
+logging_send_syslog_msg(kdumpgui_t)
logging_list_logs(kdumpgui_t)
logging_read_generic_logs(kdumpgui_t)
-logging_send_syslog_msg(kdumpgui_t)
-
-miscfiles_read_localization(kdumpgui_t)
mount_exec(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+init_access_check(kdumpgui_t)
-optional_policy(`
- bootloader_exec(kdumpgui_t)
- bootloader_rw_config(kdumpgui_t)
-')
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
optional_policy(`
- consoletype_exec(kdumpgui_t)
+ tunable_policy(`kdumpgui_run_bootloader',`
+ bootloader_domtrans(kdumpgui_t)
+ #if s-c-kdump is involved
+ bootloader_manage_config(kdumpgui_t)
+ ',`
+ bootloader_exec(kdumpgui_t)
+ bootloader_manage_config(kdumpgui_t)
+ ')
')
optional_policy(`
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(kdumpgui_t)
- ')
')
optional_policy(`
@@ -87,4 +96,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
+ kdump_systemctl(kdumpgui_t)
+ kdumpctl_domtrans(kdumpgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..8c702c9 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -1,52 +1,44 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
-
-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
+
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
index f6c00d8..c0946cf 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
-## MIT Kerberos admin and KDC.
+## MIT Kerberos admin and KDC
+##
+##
+## This policy supports:
+##
+##
+## Servers:
+##
+## - kadmind
+## - krb5kdc
+##
+##
+##
+## Clients:
+##
+## - kinit
+## - kdestroy
+## - klist
+## - ksu (incomplete)
+##
+##
+##
########################################
##
-## Role access for kerberos.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-template(`kerberos_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-##
-## Execute kadmind in the caller domain.
+## Execute kadmind in the current domain
##
##
##
@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',`
type kadmind_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, kadmind_exec_t)
')
@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',`
type kpropd_t, kpropd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, kpropd_exec_t, kpropd_t)
')
########################################
##
-## Support kerberos services.
+## Use kerberos services
##
##
##
@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
- type krb5kdc_conf_t, krb5_host_rcache_t;
+ type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
- kerberos_read_config($1)
-
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ files_search_etc($1)
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+ #kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
-
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
+ seutil_read_file_contexts($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
-
- corenet_sendrecv_kerberos_client_packets($1)
- corenet_tcp_connect_kerberos_port($1)
corenet_tcp_sendrecv_kerberos_port($1)
corenet_udp_sendrecv_kerberos_port($1)
-
- corenet_sendrecv_ocsp_client_packets($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_connect_kerberos_port($1)
corenet_tcp_connect_ocsp_port($1)
- corenet_tcp_sendrecv_ocsp_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
pcscd_stream_connect($1)
')
')
@@ -119,7 +118,7 @@ interface(`kerberos_use',`
########################################
##
-## Read kerberos configuration files.
+## Read the kerberos configuration file (/etc/krb5.conf).
##
##
##
@@ -135,15 +134,13 @@ interface(`kerberos_read_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
-
- userdom_search_user_home_dirs($1)
allow $1 krb5_home_t:file read_file_perms;
')
########################################
##
-## Do not audit attempts to write
-## kerberos configuration files.
+## Do not audit attempts to write the kerberos
+## configuration file (/etc/krb5.conf).
##
##
##
@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',`
type krb5_conf_t;
')
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ dontaudit $1 krb5_conf_t:file write;
')
########################################
##
-## Read and write kerberos
-## configuration files.
+## Read and write the kerberos configuration file (/etc/krb5.conf).
##
##
##
@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
########################################
##
-## Create, read, write, and delete
-## kerberos home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`kerberos_manage_krb5_home_files',`
- gen_require(`
- type krb5_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file manage_file_perms;
-')
-
-########################################
-##
-## Relabel kerberos home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`kerberos_relabel_krb5_home_files',`
- gen_require(`
- type krb5_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file relabel_file_perms;
-')
-
-########################################
-##
-## Create objects in user home
-## directories with the krb5 home type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`kerberos_home_filetrans_krb5_home',`
- gen_require(`
- type krb5_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
-')
-
-########################################
-##
-## Read kerberos key table files.
+## Read the kerberos key table.
##
##
##
@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
########################################
##
-## Read and write kerberos key table files.
+## Read/Write the kerberos key table.
##
##
##
@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
########################################
##
-## Create, read, write, and delete
-## kerberos key table files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`kerberos_manage_keytab_files',`
- gen_require(`
- type krb5_keytab_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_keytab_t:file manage_file_perms;
-')
-
-########################################
-##
-## Create specified objects in generic
-## etc directories with the kerberos
-## keytab file type.
+## Create keytab file in /etc
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
##
##
## The name of the object being created.
@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
type krb5_keytab_t;
')
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
')
########################################
##
-## Create a derived type for kerberos
-## keytab files.
+## Create a derived type for kerberos keytab
##
##
##
@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',`
########################################
##
-## Read kerberos kdc configuration files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
@@ -381,8 +282,7 @@ interface(`kerberos_read_kdc_config',`
########################################
##
-## Create, read, write, and delete
-## kerberos host rcache files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
@@ -396,34 +296,99 @@ interface(`kerberos_manage_host_rcache',`
type krb5_host_rcache_t;
')
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
domain_obj_id_change_exemption($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
allow $1 self:process setfscreate;
selinux_validate_context($1)
seutil_read_file_contexts($1)
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
')
')
########################################
##
-## Create objects in generic temporary
-## directories with the kerberos host
-## rcache type.
+## All of the rules required to administrate
+## an kerberos environment
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
-##
+##
+##
+## The role to be allowed to manage the kerberos domain.
+##
+##
+##
+#
+interface(`kerberos_admin',`
+ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
+ ')
+
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kadmind_t:process ptrace;
+ allow $1 krb5kdc_t:process ptrace;
+ allow $1 kpropd_t:process ptrace;
+ ')
+
+ allow $1 krb5kdc_t:process signal_perms;
+ ps_process_pattern($1, krb5kdc_t)
+
+ allow $1 kpropd_t:process signal_perms;
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerberos_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, kadmind_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, kadmind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, kadmind_var_run_t)
+
+ admin_pattern($1, krb5_conf_t)
+
+ admin_pattern($1, krb5_host_rcache_t)
+
+ admin_pattern($1, krb5_keytab_t)
+
+ admin_pattern($1, krb5kdc_principal_t)
+
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
+')
+
+########################################
+##
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
+##
+##
##
-## Class of the object being created.
+## Domain allowed access.
##
##
##
@@ -437,12 +402,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
type krb5_host_rcache_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
##
-## Connect to krb524 service.
+## read kerberos homedir content (.k5login)
##
##
##
@@ -450,82 +416,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
##
##
#
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
+interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
##
-## All of the rules required to
-## administrate an kerberos environment.
+## create kerberos content in the in the /root directory
+## with an correct label.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
+
+########################################
+##
+## Transition to kerberos named content
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`kerberos_admin',`
+interface(`kerberos_filetrans_home_content',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
+ type krb5_home_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
-
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_list_logs($1)
- admin_pattern($1, kadmind_log_t)
-
- files_list_tmp($1)
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
-
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
-
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
+########################################
+##
+## Transition to kerberos named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
-
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
-
- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
+ kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
index 8833d59..2242f4d 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
#
##
-##
-## Determine whether kerberos is supported.
-##
+##
+## Allow confined applications to run with kerberos.
+##
##
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
type kadmind_t;
type kadmind_exec_t;
@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
-files_type(krb5_conf_t)
+files_config_file(krb5_conf_t)
type krb5_home_t;
userdom_user_home_content(krb5_home_t)
-type krb5_host_rcache_t;
+type krb5_host_rcache_t alias saslauthd_tmp_t;
files_tmp_file(krb5_host_rcache_t)
+# types for general configuration files in /etc
type krb5_keytab_t;
files_security_file(krb5_keytab_t)
+# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
+files_config_file(krb5kdc_conf_t)
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
+# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:capability2 block_suspend;
+dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:tcp_socket { accept listen };
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
allow kadmind_t self:udp_socket create_socket_perms;
-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow kadmind_t kadmind_log_t:file manage_file_perms;
logging_log_filetrans(kadmind_t, kadmind_log_t, file)
allow kadmind_t krb5_conf_t:file read_file_perms;
-dontaudit kadmind_t krb5_conf_t:file write_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+can_exec(kadmind_t, kadmind_exec_t)
+
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
-can_exec(kadmind_t, kadmind_exec_t)
-
kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-corenet_all_recvfrom_unlabeled(kadmind_t)
+corecmd_exec_bin(kadmind_t)
+corecmd_exec_shell(kadmind_t)
+
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
-
-corenet_sendrecv_all_server_packets(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+corenet_tcp_connect_kprop_port(kadmind_t)
dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
fs_getattr_all_fs(kadmind_t)
fs_search_auto_mountpoints(kadmind_t)
+fs_rw_anon_inodefs_files(kadmind_t)
domain_use_interactive_fds(kadmind_t)
-files_read_etc_files(kadmind_t)
-files_read_usr_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
files_read_var_files(kadmind_t)
selinux_validate_context(kadmind_t)
+auth_read_passwd(kadmind_t)
+
logging_send_syslog_msg(kadmind_t)
-miscfiles_read_localization(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t)
+seutil_read_config(kadmind_t)
seutil_read_file_contexts(kadmind_t)
+sysnet_read_config(kadmind_t)
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
@@ -154,6 +173,10 @@ optional_policy(`
')
optional_policy(`
+ dirsrv_stream_connect(kadmind_t)
+')
+
+optional_policy(`
nis_use_ypbind(kadmind_t)
')
@@ -174,24 +197,27 @@ optional_policy(`
# Krb5kdc local policy
#
+# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:capability2 block_suspend;
+dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket { accept listen };
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
allow krb5kdc_t krb5_conf_t:file read_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
-can_exec(krb5kdc_t, krb5kdc_exec_t)
-
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
kernel_read_network_state(krb5kdc_t)
kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
-corenet_all_recvfrom_unlabeled(krb5kdc_t)
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
corenet_tcp_sendrecv_generic_node(krb5kdc_t)
corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
corenet_tcp_bind_generic_node(krb5kdc_t)
corenet_udp_bind_generic_node(krb5kdc_t)
-
-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
corenet_tcp_bind_kerberos_port(krb5kdc_t)
corenet_udp_bind_kerberos_port(krb5kdc_t)
-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t)
-corenet_udp_sendrecv_kerberos_port(krb5kdc_t)
-
-corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
corenet_tcp_connect_ocsp_port(krb5kdc_t)
-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
+fs_rw_anon_inodefs_files(krb5kdc_t)
domain_use_interactive_fds(krb5kdc_t)
-files_read_etc_files(krb5kdc_t)
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
selinux_validate_context(krb5kdc_t)
+auth_read_passwd(krb5kdc_t)
+
logging_send_syslog_msg(krb5kdc_t)
miscfiles_read_generic_certs(krb5kdc_t)
-miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
+sysnet_read_config(krb5kdc_t)
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
@@ -261,11 +286,11 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(krb5kdc_t)
+ dirsrv_stream_connect(krb5kdc_t)
')
optional_policy(`
- sssd_read_public_files(krb5kdc_t)
+ nis_use_ypbind(krb5kdc_t)
')
optional_policy(`
@@ -273,6 +298,10 @@ optional_policy(`
')
optional_policy(`
+ sssd_read_public_files(krb5kdc_t)
+')
+
+optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -281,10 +310,12 @@ optional_policy(`
# kpropd local policy
#
+allow kpropd_t self:capability net_bind_service;
allow kpropd_t self:process setfscreate;
-allow kpropd_t self:fifo_file rw_fifo_file_perms;
-allow kpropd_t self:unix_stream_socket { accept listen };
-allow kpropd_t self:tcp_socket { accept listen };
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
-corenet_all_recvfrom_unlabeled(kpropd_t)
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
corenet_tcp_bind_generic_node(kpropd_t)
-
-corenet_sendrecv_kprop_server_packets(kpropd_t)
corenet_tcp_bind_kprop_port(kpropd_t)
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)
-files_read_etc_files(kpropd_t)
files_search_tmp(kpropd_t)
selinux_validate_context(kpropd_t)
logging_send_syslog_msg(kpropd_t)
-miscfiles_read_localization(kpropd_t)
-
seutil_read_file_contexts(kpropd_t)
sysnet_dns_name_resolve(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
index 714448f..fa0c994 100644
--- a/kerneloops.if
+++ b/kerneloops.if
@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
+ allow $1 kerneloops_t:process signal_perms;
ps_process_pattern($1, kerneloops_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kerneloops_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
diff --git a/kerneloops.te b/kerneloops.te
index bcdb295..f6e3736 100644
--- a/kerneloops.te
+++ b/kerneloops.te
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
-corenet_all_recvfrom_unlabeled(kerneloops_t)
corenet_all_recvfrom_netlabel(kerneloops_t)
corenet_tcp_sendrecv_generic_if(kerneloops_t)
corenet_tcp_sendrecv_generic_node(kerneloops_t)
@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
-miscfiles_read_localization(kerneloops_t)
-
optional_policy(`
dbus_system_domain(kerneloops_t, kerneloops_exec_t)
')
diff --git a/keyboardd.if b/keyboardd.if
index 8982b91..6134ef2 100644
--- a/keyboardd.if
+++ b/keyboardd.if
@@ -1,19 +1,39 @@
-## Xorg.conf keyboard layout callout.
-######################################
+## policy for system-setup-keyboard daemon
+
+########################################
##
-## Read keyboardd unnamed pipes.
+## Execute a domain transition to run keyboard setup daemon.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
-interface(`keyboardd_read_pipes',`
+interface(`keyboardd_domtrans',`
gen_require(`
- type keyboardd_t;
+ type keyboardd_t, keyboardd_exec_t;
+ ')
+
+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
+######################################
+##
+## Allow attempts to read to
+## keyboardd unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keyboardd_read_pipes',`
+ gen_require(`
+ type keyboardd_t;
')
- allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
')
diff --git a/keyboardd.te b/keyboardd.te
index 628b78b..fe65617 100644
--- a/keyboardd.te
+++ b/keyboardd.te
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
files_manage_etc_runtime_files(keyboardd_t)
files_etc_filetrans_etc_runtime(keyboardd_t, file)
-files_read_etc_files(keyboardd_t)
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
index b273d80..186cd86 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
+
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
diff --git a/keystone.if b/keystone.if
index e88fb16..f20248c 100644
--- a/keystone.if
+++ b/keystone.if
@@ -1,42 +1,218 @@
-## Python implementation of the OpenStack identity service API.
+
+## policy for keystone
########################################
##
-## All of the rules required to
-## administrate an keystone environment.
+## Transition to keystone.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`keystone_domtrans',`
+ gen_require(`
+ type keystone_t, keystone_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, keystone_exec_t, keystone_t)
+')
+########################################
+##
+## Read keystone's log files.
##
##
##
## Domain allowed access.
##
##
-##
+##
+#
+interface(`keystone_read_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+##
+## Append to keystone log files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_append_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+##
+## Manage keystone log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_manage_log',`
+ gen_require(`
+ type keystone_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
+ manage_files_pattern($1, keystone_log_t, keystone_log_t)
+ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+##
+## Search keystone lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_search_lib',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ allow $1 keystone_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read keystone lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_read_lib_files',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+##
+## Manage keystone lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_manage_lib_files',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+##
+## Manage keystone lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`keystone_manage_lib_dirs',`
+ gen_require(`
+ type keystone_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+##
+## Execute keystone server in the keystone domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`keystone_systemctl',`
+ gen_require(`
+ type keystone_t;
+ type keystone_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keystone_unit_file_t:file read_file_perms;
+ allow $1 keystone_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, keystone_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an keystone environment
+##
+##
+##
+## Domain allowed access.
##
##
-##
#
interface(`keystone_admin',`
gen_require(`
- type keystone_t, keystone_initrc_exec_t, keystone_log_t;
- type keystone_var_lib_t, keystone_tmp_t;
+ type keystone_t;
+ type keystone_log_t;
+ type keystone_var_lib_t;
+ type keystone_unit_file_t;
')
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
-
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, keystone_tmp_t)
+ keystone_systemctl($1)
+ admin_pattern($1, keystone_unit_file_t)
+ allow $1 keystone_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/keystone.te b/keystone.te
index 9929647..b7873e1 100644
--- a/keystone.te
+++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
type keystone_tmp_t;
files_tmp_file(keystone_tmp_t)
+type keystone_unit_file_t;
+systemd_unit_file(keystone_unit_file_t)
+
########################################
#
# Local policy
#
+allow keystone_t self:process { getsched setsched };
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
+corenet_tcp_connect_mysqld_port(keystone_t)
+
+corenet_tcp_connect_mysqld_port(keystone_t)
corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
-files_read_usr_files(keystone_t)
+corenet_tcp_bind_keystone_port(keystone_t)
auth_use_pam(keystone_t)
libs_exec_ldconfig(keystone_t)
-miscfiles_read_localization(keystone_t)
-
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
')
+
+optional_policy(`
+ postgresql_stream_connect(keystone_t)
+')
+
+optional_policy(`
+ rpm_exec(keystone_t)
+')
diff --git a/kismet.if b/kismet.if
index aa2a337..7ff229f 100644
--- a/kismet.if
+++ b/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
interface(`kismet_admin',`
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
- type kismet_log_t, kismet_tmp_t;
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
@@ -292,7 +292,11 @@ interface(`kismet_admin',`
allow $2 system_r;
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kismet_t:process ptrace;
+ ')
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
index 8ad0d4d..c070420 100644
--- a/kismet.te
+++ b/kismet.te
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
-corenet_all_recvfrom_unlabeled(kismet_t)
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
-corenet_sendrecv_kismet_server_packets(kismet_t)
-corenet_tcp_bind_kismet_port(kismet_t)
-corenet_sendrecv_kismet_client_packets(kismet_t)
-corenet_tcp_connect_kismet_port(kismet_t)
-corenet_tcp_sendrecv_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
-auth_use_nsswitch(kismet_t)
-
-files_read_usr_files(kismet_t)
+corenet_sendrecv_rtsclient_server_packets(kismet_t)
+corenet_tcp_bind_rtsclient_port(kismet_t)
+corenet_sendrecv_rtsclient_client_packets(kismet_t)
+corenet_tcp_connect_rtsclient_port(kismet_t)
-miscfiles_read_localization(kismet_t)
+auth_use_nsswitch(kismet_t)
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
+userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
dbus_system_bus_client(kismet_t)
diff --git a/ksmtuned.fc b/ksmtuned.fc
index e736c45..4b1e1e4 100644
--- a/ksmtuned.fc
+++ b/ksmtuned.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0)
+
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
index 93a64bc..3ac0b8b 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
')
+#######################################
+##
+## Execute ksmtuned server in the ksmtunedd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ksmtuned_systemctl',`
+ gen_require(`
+ type ksmtuned_unit_file_t;
+ type ksmtuned_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 ksmtuned_unit_file_t:file read_file_perms;
+ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ksmtuned_t)
+')
+
########################################
##
## All of the rules required to
@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',`
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
##
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
+ type ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 ksmtuned_t:process { ptrace signal_perms };
+ allow $1 ksmtuned_t:process signal_perms;
ps_process_pattern($1, ksmtuned_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
+
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
logging_search_logs($1)
admin_pattern($1, ksmtuned_log_t)
+
+ ksmtuned_systemctl($1)
+ admin_pattern($1, ksmtuned_unit_file_t)
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
index 8eef134..a2ca1a0 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
# Declarations
#
+##
+##
+## Allow ksmtuned to use nfs file systems
+##
+##
+gen_tunable(ksmtuned_use_nfs, false)
+
+##
+##
+## Allow ksmtuned to use cifs/Samba file systems
+##
+##
+gen_tunable(ksmtuned_use_cifs, false)
+
type ksmtuned_t;
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+type ksmtuned_unit_file_t;
+systemd_unit_file(ksmtuned_unit_file_t)
+
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
mls_file_read_to_clearance(ksmtuned_t)
@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t)
logging_send_syslog_msg(ksmtuned_t)
-miscfiles_read_localization(ksmtuned_t)
+tunable_policy(`ksmtuned_use_nfs',`
+ fs_read_nfs_files(ksmtuned_t)
+')
+
+tunable_policy(`ksmtuned_use_cifs',`
+ fs_read_cifs_files(ksmtuned_t)
+ samba_read_share_files(ksmtuned_t)
+')
diff --git a/ktalk.fc b/ktalk.fc
index 38ecb07..451067e 100644
--- a/ktalk.fc
+++ b/ktalk.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
+
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/ktalk.if b/ktalk.if
index 19777b8..55d1556 100644
--- a/ktalk.if
+++ b/ktalk.if
@@ -1 +1,76 @@
-## KDE Talk daemon.
+
+## talk-server - daemon programs for the Internet talk
+
+########################################
+##
+## Execute TEMPLATE in the ktalkd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ktalk_domtrans',`
+ gen_require(`
+ type ktalkd_t, ktalkd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
+')
+########################################
+##
+## Execute ktalkd server in the ktalkd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ktalk_systemctl',`
+ gen_require(`
+ type ktalkd_t;
+ type ktalkd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ktalkd_unit_file_t:file read_file_perms;
+ allow $1 ktalkd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ktalkd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an ktalkd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ktalk_admin',`
+ gen_require(`
+ type ktalkd_t;
+ type ktalkd_unit_file_t;
+ ')
+
+ allow $1 ktalkd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ktalkd_t)
+
+ ktalk_systemctl($1)
+ admin_pattern($1, ktalkd_unit_file_t)
+ allow $1 ktalkd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
index c5548c5..bb979b1 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
type ktalkd_log_t;
logging_log_file(ktalkd_log_t)
+type ktalkd_unit_file_t;
+systemd_unit_file(ktalkd_unit_file_t)
+
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
@@ -50,12 +53,11 @@ dev_read_urand(ktalkd_t)
fs_getattr_xattr_fs(ktalkd_t)
-term_use_all_terms(ktalkd_t)
+term_search_ptys(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
-
-miscfiles_read_localization(ktalkd_t)
diff --git a/kudzu.if b/kudzu.if
index 5297064..6ba8108 100644
--- a/kudzu.if
+++ b/kudzu.if
@@ -86,9 +86,13 @@ interface(`kudzu_admin',`
type kudzu_tmp_t;
')
- allow $1 kudzu_t:process { ptrace signal_perms };
+ allow $1 kudzu_t:process { signal_perms };
ps_process_pattern($1, kudzu_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kudzu_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
index 1664036..214a4fb 100644
--- a/kudzu.te
+++ b/kudzu.te
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
domain_use_interactive_fds(kudzu_t)
files_read_kernel_modules(kudzu_t)
-files_read_usr_files(kudzu_t)
files_search_locks(kudzu_t)
files_manage_etc_files(kudzu_t)
files_manage_etc_runtime_files(kudzu_t)
@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t)
logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
-miscfiles_read_localization(kudzu_t)
sysnet_read_config(kudzu_t)
-userdom_use_user_terminals(kudzu_t)
+userdom_use_inherited_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
@@ -122,10 +120,6 @@ optional_policy(`
')
optional_policy(`
- nscd_use(kudzu_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
diff --git a/l2tp.fc b/l2tp.fc
index d5d1572..82267a7 100644
--- a/l2tp.fc
+++ b/l2tp.fc
@@ -5,6 +5,7 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
index 73e2803..2fc7570 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
-## Layer 2 Tunneling Protocol.
+## Layer 2 Tunneling Protocol daemons.
########################################
##
-## Send to l2tpd with a unix
-## domain dgram socket.
+## Transition to l2tpd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`l2tpd_domtrans',`
+ gen_require(`
+ type l2tpd_t, l2tpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
+########################################
+##
+## Execute l2tpd server in the l2tpd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_initrc_domtrans',`
+ gen_require(`
+ type l2tpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
+########################################
+##
+## Send to l2tpd via a unix dgram socket.
##
##
##
@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',`
type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
')
- files_search_pids($1)
files_search_tmp($1)
dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
')
@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',`
allow $1 l2tpd_t:socket rw_socket_perms;
')
+########################################
+##
+## Read l2tpd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_read_pid_files',`
+ gen_require(`
+ type l2tpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
#####################################
##
-## Connect to l2tpd with a unix
-## domain stream socket.
+## Connect to l2tpd over a unix domain
+## stream socket.
##
##
##
@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
')
files_search_pids($1)
- files_search_tmp($1)
- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
')
########################################
##
-## All of the rules required to
-## administrate an l2tp environment.
+## Read and write l2tpd unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_rw_pipes',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Allow send a signal to l2tpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_signal',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process signal;
+')
+
+########################################
+##
+## Allow send signull to l2tpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_signull',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process signull;
+')
+
+########################################
+##
+## Allow send sigkill to l2tpd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_sigkill',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:process sigkill;
+')
+
+########################################
+##
+## Send and receive messages from
+## l2tpd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`l2tpd_dbus_chat',`
+ gen_require(`
+ type l2tpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 l2tpd_t:dbus send_msg;
+ allow l2tpd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an l2tpd environment
##
##
##
@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
##
##
#
-interface(`l2tp_admin',`
+interface(`l2tpd_admin',`
gen_require(`
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
- type l2tp_conf_t, l2tpd_tmp_t;
+ type l2tp_etc_t, l2tpd_tmp_t;
')
- allow $1 l2tpd_t:process { ptrace signal_perms };
+ allow $1 l2tpd_t:process signal_perms;
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 l2tpd_t:process ptrace;
+ ')
+
+ l2tpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, l2tp_conf_t)
+ admin_pattern($1, l2tp_etc_t)
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
index bb06a7f..5546de2 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
#
allow l2tpd_t self:capability net_admin;
-allow l2tpd_t self:process signal;
+allow l2tpd_t self:process signal_perms;
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+can_exec(l2tpd_t, l2tpd_exec_t)
+
corenet_all_recvfrom_unlabeled(l2tpd_t)
corenet_all_recvfrom_netlabel(l2tpd_t)
corenet_raw_sendrecv_generic_if(l2tpd_t)
@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
-files_read_etc_files(l2tpd_t)
-
term_setattr_generic_ptys(l2tpd_t)
term_use_generic_ptys(l2tpd_t)
term_use_ptmx(l2tpd_t)
-logging_send_syslog_msg(l2tpd_t)
+auth_read_passwd(l2tpd_t)
-miscfiles_read_localization(l2tpd_t)
+logging_send_syslog_msg(l2tpd_t)
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
+ dbus_system_bus_client(l2tpd_t)
+ dbus_connect_system_bus(l2tpd_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(l2tpd_t)
+ ')
+')
+
+optional_policy(`
+ ipsec_domtrans_mgmt(l2tpd_t)
+ ipsec_mgmt_read_pid(l2tpd_t)
+ ipsec_filetrans_key_file(l2tpd_t)
+ ipsec_manage_key_file(l2tpd_t)
+')
+
+optional_policy(`
+ networkmanager_read_pid_files(l2tpd_t)
+')
+
+optional_policy(`
ppp_domtrans(l2tpd_t)
ppp_signal(l2tpd_t)
ppp_kill(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
index b7e5679..c93db33 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -1,8 +1,11 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+
+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -22,8 +25,7 @@
/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
index 3602712..fc7b071 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
-## OpenLDAP directory server.
+## OpenLDAP directory server
+
+#######################################
+##
+## Execute OpenLDAP in the ldap domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_domtrans',`
+ gen_require(`
+ type slapd_t, slapd_exec_t;
+ ')
+
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+##
+## Execute OpenLDAP server in the ldap domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_initrc_domtrans',`
+ gen_require(`
+ type slapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+########################################
+##
+## Execute slapd server in the slapd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ldap_systemctl',`
+ gen_require(`
+ type slapd_unit_file_t;
+ type slapd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, slapd_t)
+')
########################################
##
-## List ldap database directories.
+## Read the contents of the OpenLDAP
+## database directories.
##
##
##
@@ -15,13 +75,31 @@ interface(`ldap_list_db',`
type slapd_db_t;
')
- files_search_etc($1)
allow $1 slapd_db_t:dir list_dir_perms;
')
########################################
##
-## Read ldap configuration files.
+## Read the contents of the OpenLDAP
+## database files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_read_db_files',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
+########################################
+##
+## Read the OpenLDAP configuration files.
##
##
##
@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
########################################
##
-## Use LDAP over TCP connection. (Deprecated)
+## Read the OpenLDAP cert files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`ldap_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`ldap_read_certs',`
+ gen_require(`
+ type slapd_cert_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
+ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
########################################
##
-## Connect to slapd over an unix
-## stream socket.
+## Use LDAP over TCP connection. (Deprecated)
##
##
##
@@ -64,18 +149,13 @@ interface(`ldap_use',`
##
##
#
-interface(`ldap_stream_connect',`
- gen_require(`
- type slapd_t, slapd_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+interface(`ldap_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
##
-## Connect to ldap over the network.
+## Connect to slapd over an unix stream socket.
##
##
##
@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
##
##
#
-interface(`ldap_tcp_connect',`
+interface(`ldap_stream_connect',`
gen_require(`
- type slapd_t;
+ type slapd_t, slapd_var_run_t;
')
- corenet_sendrecv_ldap_client_packets($1)
- corenet_tcp_connect_ldap_port($1)
- corenet_tcp_recvfrom_labeled($1, slapd_t)
- corenet_tcp_sendrecv_ldap_port($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
')
########################################
##
-## All of the rules required to
-## administrate an ldap environment.
+## All of the rules required to administrate
+## an ldap environment
##
##
##
@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the ldap domain.
##
##
##
@@ -117,11 +195,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
+ type slapd_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
+ allow $1 slapd_t:process signal_perms;
ps_process_pattern($1, slapd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 slapd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
@@ -130,13 +213,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
- files_list_locks($1)
admin_pattern($1, slapd_lock_t)
- logging_list_logs($1)
- admin_pattern($1, slapd_log_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
@@ -144,4 +223,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
+ admin_pattern($1, slapd_unit_file_t)
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
index 4c2b111..8915138 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
type slapd_keytab_t;
files_type(slapd_keytab_t)
@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_all_recvfrom_unlabeled(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
@@ -115,15 +117,14 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
-files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
+auth_rw_cache(slapd_t)
logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
-miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
@@ -131,9 +132,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
kerberos_read_keytab(slapd_t)
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
kerberos_use(slapd_t)
')
diff --git a/lightsquid.if b/lightsquid.if
index 33a28b9..33ffe24 100644
--- a/lightsquid.if
+++ b/lightsquid.if
@@ -76,5 +76,7 @@ interface(`lightsquid_admin',`
files_search_var_lib($1)
admin_pattern($1, lightsquid_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/lightsquid.te b/lightsquid.te
index 09c4f27..75854ed 100644
--- a/lightsquid.te
+++ b/lightsquid.te
@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
dev_read_urand(lightsquid_t)
-files_read_etc_files(lightsquid_t)
-files_read_usr_files(lightsquid_t)
-
-miscfiles_read_localization(lightsquid_t)
-
squid_read_config(lightsquid_t)
squid_read_log(lightsquid_t)
diff --git a/likewise.if b/likewise.if
index bd20e8c..3393a01 100644
--- a/likewise.if
+++ b/likewise.if
@@ -1,9 +1,22 @@
## Likewise Active Directory support for UNIX.
+##
+##
+## Likewise Open is a free, open source application that joins Linux, Unix,
+## and Mac machines to Microsoft Active Directory to securely authenticate
+## users with their domain credentials.
+##
+##
#######################################
##
## The template to define a likewise domain.
##
+##
+##
+## This template creates a domain to be used for
+## a new likewise daemon.
+##
+##
##
##
## The type of daemon to be used.
@@ -11,6 +24,7 @@
##
#
template(`likewise_domain_template',`
+
gen_require(`
attribute likewise_domains;
type likewise_var_lib_t;
@@ -24,6 +38,7 @@ template(`likewise_domain_template',`
type $1_t;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
typeattribute $1_t likewise_domains;
@@ -38,15 +53,18 @@ template(`likewise_domain_template',`
####################################
#
- # Policy
+ # Local Policy
#
allow $1_t self:process { signal_perms getsched setsched };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_stream_socket { accept listen };
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
@@ -55,12 +73,15 @@ template(`likewise_domain_template',`
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
')
########################################
##
-## Connect to lsassd with a unix domain
-## stream socket.
+## Connect to lsassd.
##
##
##
@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',`
files_search_pids($1)
stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
')
-
-########################################
-##
-## All of the rules required to
-## administrate an likewise environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`likewise_admin',`
- gen_require(`
- attribute likewise_domains;
- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
- ')
-
- allow $1 likewise_domains:process { ptrace signal_perms };
- ps_process_pattern($1, likewise_domains)
-
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_list_etc($1)
- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
-
- files_search_var_lib($1)
- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
- admin_pattern($1, dcerpcd_var_lib_t)
-
- files_list_tmp($1)
- admin_pattern($1, lsassd_tmp_t)
-
- files_list_pids($1)
- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
index d8c2442..ef30d42 100644
--- a/likewise.te
+++ b/likewise.te
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
type likewise_pstore_lock_t;
-files_type(likewise_pstore_lock_t)
+files_lock_file(likewise_pstore_lock_t)
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t)
allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms;
-kernel_read_system_state(likewise_domains)
-
dev_read_rand(likewise_domains)
dev_read_urand(likewise_domains)
domain_use_interactive_fds(likewise_domains)
-files_read_etc_files(likewise_domains)
files_search_var_lib(likewise_domains)
-logging_send_syslog_msg(likewise_domains)
-
-miscfiles_read_localization(likewise_domains)
-
#################################
#
# dcerpcd local policy
@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
corecmd_exec_shell(lsassd_t)
corenet_all_recvfrom_netlabel(lsassd_t)
-corenet_all_recvfrom_unlabeled(lsassd_t)
corenet_tcp_sendrecv_generic_if(lsassd_t)
corenet_tcp_sendrecv_generic_node(lsassd_t)
@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
corenet_all_recvfrom_netlabel(srvsvcd_t)
-corenet_all_recvfrom_unlabeled(srvsvcd_t)
corenet_sendrecv_generic_server_packets(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
diff --git a/lircd.if b/lircd.if
index dff21a7..b6981c8 100644
--- a/lircd.if
+++ b/lircd.if
@@ -81,8 +81,11 @@ interface(`lircd_admin',`
type lircd_initrc_exec_t, lircd_etc_t;
')
- allow $1 lircd_t:process { ptrace signal_perms };
+ allow $1 lircd_t:process signal_perms;
ps_process_pattern($1, lircd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lircd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
index 483c87b..af0698b 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
-files_type(lircd_etc_t)
+files_config_file(lircd_etc_t)
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket { accept listen };
+allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
logging_send_syslog_msg(lircd_t)
-miscfiles_read_localization(lircd_t)
-
sysnet_dns_name_resolve(lircd_t)
diff --git a/livecd.if b/livecd.if
index e354181..c6b2383 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,11 +38,32 @@ interface(`livecd_domtrans',`
#
interface(`livecd_run',`
gen_require(`
+ type livecd_t;
+ type livecd_exec_t;
attribute_role livecd_roles;
')
livecd_domtrans($1)
roleattribute $2 livecd_roles;
+ role_transition $2 livecd_exec_t system_r;
+')
+
+########################################
+##
+## Dontaudit read/write to a livecd leaks
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`livecd_dontaudit_leaks',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
')
########################################
diff --git a/livecd.te b/livecd.te
index 2f974bf..54f10e4 100644
--- a/livecd.te
+++ b/livecd.te
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
# Local policy
#
-dontaudit livecd_t self:capability2 mac_admin;
+allow livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(livecd_t)
+')
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t)
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
+optional_policy(`
+ mount_run(livecd_t, livecd_roles)
+')
+
optional_policy(`
- mount_run(livecd_t, livecd_roles)
+ rpm_transition_script(livecd_t)
')
optional_policy(`
- rpm_domtrans(livecd_t)
+ seutil_run_setfiles_mac(livecd_t, livecd_roles)
')
optional_policy(`
diff --git a/lldpad.if b/lldpad.if
index d18c960..fb5b674 100644
--- a/lldpad.if
+++ b/lldpad.if
@@ -2,6 +2,25 @@
#######################################
##
+## Transition to lldpad.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lldpad_domtrans',`
+ gen_require(`
+ type lldpad_t, lldpad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
+')
+
+#######################################
+##
## Send to lldpad with a unix dgram socket.
##
##
@@ -42,9 +61,13 @@ interface(`lldpad_admin',`
type lldpad_var_run_t;
')
- allow $1 lldpad_t:process { ptrace signal_perms };
+ allow $1 lldpad_t:process { signal_perms };
ps_process_pattern($1, lldpad_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lldpad_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
index 2a491d9..db979c3 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
# Local policy
#
-allow lldpad_t self:capability { net_admin net_raw };
+allow lldpad_t self:capability { net_admin net_raw sys_resource };
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept listen };
@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
dev_read_sysfs(lldpad_t)
-files_read_etc_files(lldpad_t)
-
logging_send_syslog_msg(lldpad_t)
-miscfiles_read_localization(lldpad_t)
+userdom_dgram_send(lldpad_t)
optional_policy(`
fcoe_dgram_send_fcoemon(lldpad_t)
diff --git a/loadkeys.te b/loadkeys.te
index d2f4643..c8e6b37 100644
--- a/loadkeys.te
+++ b/loadkeys.te
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
-files_read_etc_files(loadkeys_t)
files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+auth_read_passwd(loadkeys_t)
+
init_dontaudit_use_fds(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
locallogin_use_fds(loadkeys_t)
-miscfiles_read_localization(loadkeys_t)
-
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
diff --git a/lockdev.if b/lockdev.if
index 4313b8b..cd1435c 100644
--- a/lockdev.if
+++ b/lockdev.if
@@ -1,5 +1,25 @@
## Library for locking devices.
+#######################################
+##
+## Create, read, write, and delete
+## lockdev lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lockdev_manage_files',`
+ gen_require(`
+ type lockdev_lock_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
+')
+
########################################
##
## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
index 61db5a0..9d5d255 100644
--- a/lockdev.te
+++ b/lockdev.te
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
index a11d5be..36c8de7 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,6 +1,9 @@
-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+ifdef(`distro_debian', `
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+', `
+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/logrotate.if b/logrotate.if
index dd8e01a..9cd6b0b 100644
--- a/logrotate.if
+++ b/logrotate.if
@@ -1,4 +1,4 @@
-## Rotates, compresses, removes and mails system log files.
+## Rotate and archive system logs
########################################
##
@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',`
########################################
##
-## Execute logrotate in the logrotate
-## domain, and allow the specified
-## role the logrotate domain.
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
##
##
##
@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',`
#
interface(`logrotate_run',`
gen_require(`
- attribute_role logrotate_roles;
+ type logrotate_t;
')
logrotate_domtrans($1)
- roleattribute $2 logrotate_roles;
+ role $2 types logrotate_t;
')
########################################
@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',`
########################################
##
-## Do not audit attempts to inherit
-## logrotate file descriptors.
+## Do not audit attempts to inherit logrotate file descriptors.
##
##
##
@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',`
########################################
##
-## Read logrotate temporary files.
+## Read a logrotate temporary files.
##
##
##
diff --git a/logrotate.te b/logrotate.te
index be0ab84..8c532a6 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0)
# Declarations
#
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
-
type logrotate_t;
-type logrotate_exec_t;
domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
domain_entry_file(logrotate_t, logrotate_exec_t)
-role logrotate_roles types logrotate_t;
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
-mta_base_mail_template(logrotate)
-role system_r types logrotate_mail_t;
-
########################################
#
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability sys_resource;
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket { accept connectto listen };
+allow logrotate_t self:unix_stream_socket connectto;
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
@@ -48,36 +52,52 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+can_exec(logrotate_t, logrotate_tmp_t)
+
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
-can_exec(logrotate_t, logrotate_tmp_t)
-
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
+dev_read_urand(logrotate_t)
+dev_read_sysfs(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+mls_process_write_to_clearance(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
corecmd_getattr_all_executables(logrotate_t)
-dev_read_urand(logrotate_t)
-
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
-files_read_usr_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -103,24 +123,34 @@ init_all_labeled_script_domtrans(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
-miscfiles_read_localization(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
+systemd_getattr_unit_files(logrotate_t)
+systemd_start_all_unit_files(logrotate_t)
+systemd_reload_all_services(logrotate_t)
+systemd_status_all_unit_files(logrotate_t)
+init_stream_connect(logrotate_t)
-seutil_dontaudit_read_config(logrotate_t)
+miscfiles_read_hwdata(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
+userdom_list_admin_dir(logrotate_t)
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
-
-ifdef(`distro_debian',`
+ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
can_exec(logrotate_t, logrotate_exec_t)
- logging_check_exec_syslog(logrotate_t)
+ # for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
@@ -135,16 +165,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
+ apache_read_sys_content_rw_dirs(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`
- asterisk_domtrans(logrotate_t)
+ awstats_domtrans(logrotate_t)
')
optional_policy(`
- awstats_domtrans(logrotate_t)
+ asterisk_domtrans(logrotate_t)
')
optional_policy(`
@@ -170,6 +201,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(logrotate_t)
+')
+
+optional_policy(`
fail2ban_stream_connect(logrotate_t)
')
@@ -178,7 +213,7 @@ optional_policy(`
')
optional_policy(`
- chronyd_read_key_files(logrotate_t)
+ chronyd_read_keys(logrotate_t)
')
optional_policy(`
@@ -198,21 +233,26 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_home_content(logrotate_t)
mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
+')
+
+optional_policy(`
+ psad_domtrans(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
+ rabbitmq_domtrans_beam(logrotate_t)
')
optional_policy(`
- psad_domtrans(logrotate_t)
+ raid_domtrans_mdadm(logrotate_t)
')
optional_policy(`
@@ -228,10 +268,20 @@ optional_policy(`
')
optional_policy(`
+ openshift_manage_lib_files(logrotate_t)
+')
+
+optional_policy(`
+ openvswitch_read_pid_files(logrotate_t)
+ openvswitch_domtrans(logrotate_t)
+')
+
+optional_policy(`
squid_domtrans(logrotate_t)
')
optional_policy(`
+ #Red Hat bug 564565
su_exec(logrotate_t)
')
@@ -241,13 +291,11 @@ optional_policy(`
#######################################
#
-# Mail local policy
+# logrotate_mail local policy
#
-allow logrotate_mail_t logrotate_t:fd use;
-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
-allow logrotate_mail_t logrotate_t:process sigchld;
-
-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
-
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
index ab65034..52cbb90 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2)
#
##
+##
+## Allow epylog to send mail
+##
+##
+gen_tunable(logwatch_can_sendmail, false)
+
+##
##
## Determine whether logwatch can connect
## to mail over the network.
@@ -15,7 +22,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
+init_daemon_domain(logwatch_t, logwatch_exec_t)
+application_domain(logwatch_t, logwatch_exec_t)
type logwatch_cache_t;
files_type(logwatch_cache_t)
@@ -45,7 +53,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
+manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@@ -61,6 +70,11 @@ kernel_read_system_state(logwatch_t)
kernel_read_net_sysctls(logwatch_t)
kernel_read_network_state(logwatch_t)
+corenet_all_recvfrom_unlabeled(logwatch_t)
+corenet_all_recvfrom_netlabel(logwatch_t)
+corenet_tcp_sendrecv_generic_if(logwatch_t)
+corenet_tcp_sendrecv_generic_node(logwatch_t)
+
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
@@ -75,10 +89,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
-files_read_usr_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
fs_getattr_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
+fs_getattr_all_dirs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -100,23 +115,17 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
-miscfiles_read_localization(logwatch_t)
-
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
tunable_policy(`logwatch_can_network_connect_mail',`
- corenet_all_recvfrom_unlabeled(logwatch_t)
- corenet_all_recvfrom_netlabel(logwatch_t)
- corenet_tcp_sendrecv_generic_if(logwatch_t)
- corenet_tcp_sendrecv_generic_node(logwatch_t)
-
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
@@ -160,6 +169,12 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
+ raid_read_conf_files(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -187,6 +202,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
+mta_read_home(logwatch_mail_t)
+
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
')
+
+optional_policy(`
+ courier_stream_connect_authdaemon(logwatch_mail_t)
+')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2e..08974e3 100644
--- a/lpd.fc
+++ b/lpd.fc
@@ -19,6 +19,7 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
index 6256371..7826e38 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
-## Line printer daemon.
+## Line printer daemon
########################################
##
-## Role access for lpd.
+## Role access for lpd
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`lpd_role',`
gen_require(`
attribute_role lpr_roles;
- type lpr_t, lpr_exec_t;
+ type lpr_t, lpr_exec_t, print_spool_t;
')
- ########################################
- #
- # Declarations
- #
+ ########################################
+ #
+ # Declarations
+ #
roleattribute $1 lpr_roles;
- ########################################
- #
- # Policy
- #
+ ########################################
+ #
+ # Policy
+ #
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, lpr_exec_t, lpr_t)
+ dontaudit lpr_t $2:unix_stream_socket { read write };
- allow $2 lpr_t:process { ptrace signal_perms };
ps_process_pattern($2, lpr_t)
+ allow $2 lpr_t:process signal_perms;
- dontaudit lpr_t $2:unix_stream_socket { read write };
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 lpr_t:process ptrace;
+ ')
optional_policy(`
cups_read_config($2)
@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',`
type checkpc_t, checkpc_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, checkpc_exec_t, checkpc_t)
')
########################################
##
-## Execute amrecover in the lpd
-## domain, and allow the specified
-## role the lpd domain.
+## Execute amrecover in the lpd domain, and
+## allow the specified role the lpd domain.
##
##
##
@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',`
#
interface(`lpd_run_checkpc',`
gen_require(`
- attribute_role checkpc_roles;
+ type checkpc_t;
')
lpd_domtrans_checkpc($1)
- roleattribute $2 checkpc_roles;
+ role $2 types checkpc_t;
')
########################################
##
-## List printer spool directories.
+## List the contents of the printer spool directories.
##
##
##
@@ -112,7 +115,7 @@ interface(`lpd_list_spool',`
########################################
##
-## Read printer spool files.
+## Read the printer spool files.
##
##
##
@@ -131,8 +134,7 @@ interface(`lpd_read_spool',`
########################################
##
-## Create, read, write, and delete
-## printer spool content.
+## Create, read, write, and delete printer spool files.
##
##
##
@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
########################################
##
-## Relabel spool files.
+## Relabel from and to the spool files.
##
##
##
@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
########################################
##
-## Read printer configuration files.
+## List the contents of the printer spool directories.
##
##
##
@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
##
##
#
-template(`lpd_domtrans_lpr',`
+interface(`lpd_domtrans_lpr',`
gen_require(`
type lpr_t, lpr_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, lpr_exec_t, lpr_t)
')
@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
########################################
##
-## Execute lpr in the caller domain.
+## Allow the specified domain to execute lpr
+## in the caller domain.
##
##
##
@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
type lpr_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, lpr_exec_t)
')
diff --git a/lpd.te b/lpd.te
index 39d3164..4b1b70c 100644
--- a/lpd.te
+++ b/lpd.te
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
-files_type(print_spool_t)
+files_spool_file(print_spool_t)
ubac_constrained(print_spool_t)
type printer_t;
@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
-corenet_all_recvfrom_unlabeled(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_generic_if(checkpc_t)
corenet_tcp_sendrecv_generic_node(checkpc_t)
@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t)
domain_use_interactive_fds(checkpc_t)
-files_read_etc_files(checkpc_t)
files_read_etc_runtime_files(checkpc_t)
files_search_pids(checkpc_t)
files_search_spool(checkpc_t)
@@ -107,7 +105,7 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
-userdom_use_user_terminals(checkpc_t)
+userdom_use_inherited_user_terminals(checkpc_t)
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
kernel_read_kernel_sysctls(lpd_t)
kernel_read_system_state(lpd_t)
-corenet_all_recvfrom_unlabeled(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_generic_if(lpd_t)
corenet_tcp_sendrecv_generic_node(lpd_t)
@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t)
domain_use_interactive_fds(lpd_t)
files_read_etc_runtime_files(lpd_t)
-files_read_usr_files(lpd_t)
files_list_world_readable(lpd_t)
files_read_world_readable_files(lpd_t)
files_read_world_readable_symlinks(lpd_t)
files_list_var_lib(lpd_t)
files_read_var_lib_files(lpd_t)
files_read_var_lib_symlinks(lpd_t)
-files_read_etc_files(lpd_t)
files_search_spool(lpd_t)
fs_getattr_all_fs(lpd_t)
@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t)
logging_send_syslog_msg(lpd_t)
miscfiles_read_fonts(lpd_t)
-miscfiles_read_localization(lpd_t)
sysnet_read_config(lpd_t)
@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
kernel_read_crypto_sysctls(lpr_t)
kernel_read_kernel_sysctls(lpr_t)
-corenet_all_recvfrom_unlabeled(lpr_t)
corenet_all_recvfrom_netlabel(lpr_t)
corenet_tcp_sendrecv_generic_if(lpr_t)
corenet_tcp_sendrecv_generic_node(lpr_t)
@@ -239,7 +232,6 @@ dev_read_urand(lpr_t)
domain_use_interactive_fds(lpr_t)
files_search_spool(lpr_t)
-files_read_usr_files(lpr_t)
files_list_home(lpr_t)
fs_getattr_all_fs(lpr_t)
@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t)
auth_use_nsswitch(lpr_t)
-logging_send_syslog_msg(lpr_t)
-
miscfiles_read_fonts(lpr_t)
-miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
-userdom_use_user_terminals(lpr_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
+userdom_write_user_tmp_sockets(lpr_t)
+userdom_stream_connect(lpr_t)
tunable_policy(`use_lpd_server',`
- allow lpr_t lpd_t:process signal;
-
- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t)
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',`
allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints(lpr_t)
- fs_read_nfs_files(lpr_t)
- fs_read_nfs_symlinks(lpr_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints(lpr_t)
- fs_read_cifs_files(lpr_t)
- fs_read_cifs_symlinks(lpr_t)
-')
+userdom_home_reader(lpr_t)
optional_policy(`
cups_read_config(lpr_t)
@@ -298,5 +284,13 @@ optional_policy(`
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(lpr_t)
+ gnome_stream_connect_gkeyringd(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/lsm.fc b/lsm.fc
index c455730..6e14667 100644
--- a/lsm.fc
+++ b/lsm.fc
@@ -1,3 +1,7 @@
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
index d314333..da30c5d 100644
--- a/lsm.if
+++ b/lsm.if
@@ -1,25 +1,85 @@
-## Storage array management library.
+
+## libStorageMgmt plug-in daemon
########################################
##
-## All of the rules required to administrate
-## an lsmd environment.
+## Execute TEMPLATE in the lsmd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lsmd_domtrans',`
+ gen_require(`
+ type lsmd_t, lsmd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
+')
+########################################
+##
+## Read lsmd PID files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
+ type lsmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
+')
+
+########################################
+##
+## Execute lsmd server in the lsmd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lsmd_systemctl',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lsmd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an lsmd environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t, type lsmd_var_run_t;
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
+ allow $1 lsmd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/lsm.te b/lsm.te
index 4ec0eea..7f3d3fe 100644
--- a/lsm.te
+++ b/lsm.te
@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
+type lsmd_plugin_t;
+type lsmd_plugin_exec_t;
+application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
+role system_r types lsmd_plugin_t;
+
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+
########################################
#
# Local policy
@@ -26,4 +37,29 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+corecmd_exec_bin(lsmd_t)
+
logging_send_syslog_msg(lsmd_t)
+
+########################################
+#
+# Local lsmd plugin policy
+#
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
+kernel_read_system_state(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
+logging_send_syslog_msg(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
index 995d0a5..3d40d59 100644
--- a/mailman.fc
+++ b/mailman.fc
@@ -2,10 +2,12 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
diff --git a/mailman.if b/mailman.if
index 108c0f1..a248501 100644
--- a/mailman.if
+++ b/mailman.if
@@ -1,44 +1,70 @@
-## Manage electronic mail discussion and e-newsletter lists.
+## Mailman is for managing electronic mail discussion and e-newsletter lists
#######################################
##
-## The template to define a mailman domain.
+## The template to define a mailmain domain.
##
-##
+##
+##
+## This template creates a domain to be used for
+## a new mailman daemon.
+##
+##
+##
##
-## Domain prefix to be used.
+## The type of daemon to be used eg, cgi would give mailman_cgi_
##
##
#
-template(`mailman_domain_template',`
- gen_require(`
- attribute mailman_domain;
- ')
+template(`mailman_domain_template', `
- ########################################
- #
- # Declarations
- #
+ ########################################
+ #
+ # Declarations
+ #
- type mailman_$1_t;
- type mailman_$1_exec_t;
+ gen_require(`
+ attribute mailman_domain;
+ ')
+
+ type mailman_$1_t, mailman_domain;
domain_type(mailman_$1_t)
+ type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
role system_r types mailman_$1_t;
type mailman_$1_tmp_t;
files_tmp_file(mailman_$1_tmp_t)
- ####################################
- #
- # Policy
- #
+ ####################################
+ #
+ # Policy
+ #
manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
+ corenet_raw_sendrecv_generic_if(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+ corenet_udp_sendrecv_generic_node(mailman_$1_t)
+ corenet_raw_sendrecv_generic_node(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_generic_node(mailman_$1_t)
+ corenet_udp_bind_generic_node(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
auth_use_nsswitch(mailman_$1_t)
+
+ logging_send_syslog_msg(mailman_$1_t)
')
#######################################
@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
type mailman_mail_exec_t, mailman_mail_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
')
########################################
##
-## Execute the mailman program in the
-## mailman domain and allow the
-## specified role the mailman domain.
+## Execute the mailman program in the mailman domain.
##
##
##
@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
##
##
##
-## Role allowed access.
+## The role to allow the mailman domain.
##
##
##
#
interface(`mailman_run',`
gen_require(`
- attribute_role mailman_roles;
+ type mailman_mail_t;
')
mailman_domtrans($1)
- roleattribute $2 mailman_roles;
+ role $2 types mailman_mail_t;
')
#######################################
@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
type mailman_cgi_exec_t, mailman_cgi_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
')
@@ -122,13 +144,12 @@ interface(`mailman_exec',`
type mailman_mail_exec_t;
')
- libs_search_lib($1)
can_exec($1, mailman_mail_exec_t)
')
#######################################
##
-## Send generic signals to mailman cgi.
+## Send generic signals to the mailman cgi domain.
##
##
##
@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
#######################################
##
-## Search mailman data directories.
+## Allow domain to search data directories.
##
##
##
@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
type mailman_data_t;
')
- files_search_spool($1)
allow $1 mailman_data_t:dir search_dir_perms;
')
#######################################
##
-## Read mailman data content.
+## Allow domain to to read mailman data files.
##
##
##
@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
type mailman_data_t;
')
- files_search_spool($1)
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
#######################################
##
-## Create, read, write, and delete
-## mailman data files.
+## Allow domain to to create mailman data files
+## and write the directory.
##
##
##
@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
type mailman_data_t;
')
- files_search_spool($1)
manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
#######################################
##
-## List mailman data directories.
+## List the contents of mailman data directories.
##
##
##
@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
type mailman_data_t;
')
- files_search_spool($1)
allow $1 mailman_data_t:dir list_dir_perms;
')
#######################################
##
-## Read mailman data symbolic links.
+## Allow read acces to mailman data symbolic links.
##
##
##
@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
#######################################
##
-## Read mailman log files.
+## Read mailman logs.
##
##
##
@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
type mailman_log_t;
')
- logging_search_logs($1)
read_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
##
-## Append mailman log files.
+## Append to mailman logs.
##
##
##
@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
type mailman_log_t;
')
- logging_search_logs($1)
append_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
##
## Create, read, write, and delete
-## mailman log content.
+## mailman logs.
##
##
##
@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
type mailman_log_t;
')
- logging_search_logs($1)
manage_files_pattern($1, mailman_log_t, mailman_log_t)
manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
')
#######################################
##
-## Read mailman archive content.
+## Allow domain to read mailman archive files.
##
##
##
@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
type mailman_archive_t;
')
- files_search_var_lib($1)
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
#######################################
##
-## Execute mailman_queue in the
-## mailman_queue domain.
+## Execute mailman_queue in the mailman_queue domain.
##
##
##
@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
type mailman_queue_exec_t, mailman_queue_t;
')
- libs_search_lib($1)
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
index ac81c7f..7041046 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
#
# Declarations
#
+##
+##
+## Allow mailman to access FUSE file systems
+##
+##
+gen_tunable(mailman_use_fusefs, false)
attribute mailman_domain;
@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t)
manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t)
files_lock_filetrans(mailman_domain, mailman_lock_t, file)
-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
logging_log_filetrans(mailman_domain, mailman_log_t, file)
kernel_read_kernel_sysctls(mailman_domain)
-kernel_read_system_state(mailman_domain)
-corenet_all_recvfrom_unlabeled(mailman_domain)
-corenet_all_recvfrom_netlabel(mailman_domain)
corenet_tcp_sendrecv_generic_if(mailman_domain)
corenet_tcp_sendrecv_generic_node(mailman_domain)
@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain)
libs_exec_ld_so(mailman_domain)
libs_exec_lib_files(mailman_domain)
-logging_send_syslog_msg(mailman_domain)
-
-miscfiles_read_localization(mailman_domain)
-
########################################
#
# CGI local policy
@@ -115,20 +112,23 @@ optional_policy(`
# Mail local policy
#
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
+allow mailman_mail_t self:process { setsched signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
corenet_sendrecv_innd_client_packets(mailman_mail_t)
corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
-corenet_tcp_connect_spamd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
@@ -142,6 +142,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(mailman_mail_t)
+')
+
+optional_policy(`
cron_read_pipes(mailman_mail_t)
')
@@ -182,3 +186,9 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
')
+
+tunable_policy(`mailman_use_fusefs',`
+ fs_manage_fusefs_dirs(mailman_domain)
+ fs_manage_fusefs_files(mailman_domain)
+ fs_manage_fusefs_symlinks(mailman_domain)
+')
diff --git a/mailscanner.if b/mailscanner.if
index 214cb44..bd1d48e 100644
--- a/mailscanner.if
+++ b/mailscanner.if
@@ -2,29 +2,27 @@
########################################
##
-## Create, read, write, and delete
-## mscan spool content.
+## Execute a domain transition to run
+## MailScanner.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`mscan_manage_spool_content',`
+interface(`mailscanner_initrc_domtrans',`
gen_require(`
- type mscan_spool_t;
+ type mscan_initrc_exec_t;
')
- files_search_spool($1)
- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
- manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
')
########################################
##
-## All of the rules required to
-## administrate an mscan environment
+## All of the rules required to administrate
+## an mailscanner environment.
##
##
##
@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',`
##
##
#
-interface(`mscan_admin',`
+interface(`mailscanner_admin',`
gen_require(`
- type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
- type mscan_var_run_t, mscan_spool_t;
+ type mscan_t, mscan_var_run_t, mscan_etc_t;
+ type mscan_initrc_exec_t;
')
- allow $1 mscan_t:process { ptrace signal_perms };
- ps_process_pattern($1, mscan_t)
-
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ mailscanner_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mscan_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ allow $1 mscan_t:process signal_perms;
+ ps_process_pattern($1, mscan_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mscan_t:process ptrace;
+ ')
+
admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
- files_search_pids($1)
admin_pattern($1, mscan_var_run_t)
-
- files_search_spool($1)
- admin_pattern($1, mscan_spool_t)
+ files_list_pids($1)
')
diff --git a/mailscanner.te b/mailscanner.te
index 6b6e2e1..9889cef 100644
--- a/mailscanner.te
+++ b/mailscanner.te
@@ -34,6 +34,7 @@ allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t)
dev_read_urand(mscan_t)
-files_read_usr_files(mscan_t)
fs_getattr_xattr_fs(mscan_t)
@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t)
logging_send_syslog_msg(mscan_t)
-miscfiles_read_localization(mscan_t)
-
optional_policy(`
- clamav_domtrans_clamscan(mscan_t)
+ antivirus_domtrans(mscan_t)
+ antivirus_manage_pid(mscan_t)
')
optional_policy(`
@@ -97,5 +96,6 @@ optional_policy(`
')
optional_policy(`
+ spamassassin_read_home_client(mscan_t)
spamassassin_read_lib_files(mscan_t)
')
diff --git a/man2html.if b/man2html.if
index 54ec04d..fe43dea 100644
--- a/man2html.if
+++ b/man2html.if
@@ -1 +1,127 @@
## A Unix manpage-to-HTML converter.
+
+########################################
+##
+## Transition to httpd_man2html_script.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`httpd_man2html_script_domtrans',`
+ gen_require(`
+ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
+')
+
+########################################
+##
+## Search httpd_man2html_script cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`httpd_man2html_script_search_cache',`
+ gen_require(`
+ type httpd_man2html_script_cache_t;
+ ')
+
+ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read httpd_man2html_script cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`httpd_man2html_script_read_cache_files',`
+ gen_require(`
+ type httpd_man2html_script_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## httpd_man2html_script cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`httpd_man2html_script_manage_cache_files',`
+ gen_require(`
+ type httpd_man2html_script_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+')
+
+########################################
+##
+## Manage httpd_man2html_script cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`httpd_man2html_script_manage_cache_dirs',`
+ gen_require(`
+ type httpd_man2html_script_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an httpd_man2html_script environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`httpd_man2html_script_admin',`
+ gen_require(`
+ type httpd_man2html_script_t;
+ type httpd_man2html_script_cache_t;
+ ')
+
+ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_man2html_script_t)
+
+ files_search_var($1)
+ admin_pattern($1, httpd_man2html_script_cache_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/man2html.te b/man2html.te
index e08c55d..9e634bd 100644
--- a/man2html.te
+++ b/man2html.te
@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0)
# Declarations
#
-apache_content_template(man2html)
type httpd_man2html_script_cache_t;
files_type(httpd_man2html_script_cache_t)
########################################
#
-# Local policy
+# httpd_man2html_script local policy
#
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+optional_policy(`
-files_read_etc_files(httpd_man2html_script_t)
+ apache_content_template(man2html)
-miscfiles_read_localization(httpd_man2html_script_t)
-miscfiles_read_man_pages(httpd_man2html_script_t)
+ allow httpd_man2html_script_t self:process { fork };
+
+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
+
+')
diff --git a/mandb.fc b/mandb.fc
index 8ae78b5..16e55cd 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,11 @@
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
diff --git a/mandb.if b/mandb.if
index 327f3f7..4f61561 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
-## On-line manual database.
+
+## policy for mandb
########################################
##
-## Execute the mandb program in
-## the mandb domain.
+## Transition to mandb.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`mandb_domtrans',`
@@ -22,33 +22,45 @@ interface(`mandb_domtrans',`
########################################
##
-## Execute mandb in the mandb
-## domain, and allow the specified
-## role the mandb domain.
+## Search mandb cache directories.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
-##
+#
+interface(`mandb_search_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read mandb cache files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
#
-interface(`mandb_run',`
+interface(`mandb_read_cache_files',`
gen_require(`
- attribute_role mandb_roles;
+ type mandb_cache_t;
')
- lightsquid_domtrans($1)
- roleattribute $2 mandb_roles;
+ files_search_var($1)
+ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
##
-## Search mandb cache directories.
+## Relabel mandb cache files/directories
##
##
##
@@ -56,13 +68,18 @@ interface(`mandb_run',`
##
##
#
-interface(`mandb_search_cache',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_relabel_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ allow $1 mandb_cache_t:dir relabel_dir_perms;
+ allow $1 mandb_cache_t:file relabel_file_perms;
')
########################################
##
-## Delete mandb cache content.
+## Set attributes on mandb cache files.
##
##
##
@@ -70,13 +87,18 @@ interface(`mandb_search_cache',`
##
##
#
-interface(`mandb_delete_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_setattr_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir setattr;
')
########################################
##
-## Read mandb cache content.
+## Delete mandb cache files.
##
##
##
@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',`
##
##
#
-interface(`mandb_read_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_delete_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir list_dir_perms;
+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',`
##
##
#
-interface(`mandb_manage_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_manage_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
+')
+
+########################################
+##
+## Manage mandb cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mandb_manage_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
##
-## All of the rules required to
-## administrate an mandb environment.
+## Create configuration files in user
+## home directories with a named file
+## type transition.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`mandb_filetrans_named_home_content',`
+ gen_require(`
+ type mandb_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an mandb environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`mandb_admin',`
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
+ type mandb_cache_t, mandb_lock_t;
')
allow $1 mandb_t:process { ptrace signal_perms };
ps_process_pattern($1, mandb_t)
- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
+
+ files_search_locks($1)
+ admin_pattern($1, mandb_lock_t)
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/mandb.te b/mandb.te
index e6136fd..14e2c47 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,9 +10,18 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
+init_daemon_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
+type mandb_home_t;
+userdom_user_home_content(mandb_home_t)
+
+type mandb_lock_t;
+files_lock_file(mandb_lock_t)
+
########################################
#
# Local policy
@@ -23,6 +32,18 @@ allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+can_exec(mandb_t, mandb_exec_t)
+
+userdom_search_user_home_dirs(mandb_t)
+allow mandb_t mandb_home_t:file read_file_perms;
+
+allow mandb_t mandb_lock_t:file manage_file_perms;
+files_lock_filetrans(mandb_t, mandb_lock_t, file)
+
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
@@ -33,11 +54,12 @@ dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
+files_dontaudit_search_all_mountpoints(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
miscfiles_read_man_pages(mandb_t)
-miscfiles_read_localization(mandb_t)
ifdef(`distro_debian',`
optional_policy(`
diff --git a/mcelog.if b/mcelog.if
index f89651e..ea89ab1 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
+######################################
+##
+## Read mcelog logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcelog_read_log',`
+ gen_require(`
+ type mcelog_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
+')
+
########################################
##
## All of the rules required to
diff --git a/mcelog.te b/mcelog.te
index 59b3b3d..494c4f3 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
##
gen_tunable(mcelog_server, false)
-##
-##
-## Determine whether mcelog can use syslog.
-##
-##
-gen_tunable(mcelog_syslog, false)
-
type mcelog_t;
type mcelog_exec_t;
init_daemon_domain(mcelog_t, mcelog_exec_t)
@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
kernel_read_system_state(mcelog_t)
+corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
dev_rw_sysfs(mcelog_t)
-
-files_read_etc_files(mcelog_t)
+dev_rw_cpu_microcode(mcelog_t)
mls_file_read_all_levels(mcelog_t)
+auth_use_nsswitch(mcelog_t)
+
locallogin_use_fds(mcelog_t)
-miscfiles_read_localization(mcelog_t)
+logging_send_syslog_msg(mcelog_t)
tunable_policy(`mcelog_client',`
allow mcelog_t self:unix_stream_socket connectto;
@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
allow mcelog_t self:unix_stream_socket { listen accept };
')
-tunable_policy(`mcelog_syslog',`
- logging_send_syslog_msg(mcelog_t)
-')
optional_policy(`
cron_system_entry(mcelog_t, mcelog_exec_t)
diff --git a/mcollective.fc b/mcollective.fc
new file mode 100644
index 0000000..821bf88
--- /dev/null
+++ b/mcollective.fc
@@ -0,0 +1,3 @@
+/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
+
+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
diff --git a/mcollective.if b/mcollective.if
new file mode 100644
index 0000000..3f433f1
--- /dev/null
+++ b/mcollective.if
@@ -0,0 +1,109 @@
+
+## policy for mcollective
+
+########################################
+##
+## Execute TEMPLATE in the mcollective domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mcollective_domtrans',`
+ gen_require(`
+ type mcollective_t, mcollective_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
+')
+
+########################################
+##
+## Search mcollective conf directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_search_conf',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+##
+## Read mcollective conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_read_conf_files',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## Manage mcollective conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_manage_conf_files',`
+ gen_require(`
+ type mcollective_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+ files_search_etc($1)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an mcollective environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mcollective_admin',`
+ gen_require(`
+ type mcollective_t;
+ type mcollective_etc_rw_t;
+ ')
+
+ allow $1 mcollective_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mcollective_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mcollective_etc_rw_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mcollective.te b/mcollective.te
new file mode 100644
index 0000000..a04dd6b
--- /dev/null
+++ b/mcollective.te
@@ -0,0 +1,29 @@
+policy_module(mcollective, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcollective_t;
+type mcollective_exec_t;
+init_daemon_domain(mcollective_t, mcollective_exec_t)
+cron_system_entry(mcollective_t, mcollective_exec_t)
+
+permissive mcollective_t;
+
+type mcollective_etc_rw_t;
+files_type(mcollective_etc_rw_t)
+
+########################################
+#
+# mcollective local policy
+#
+allow mcollective_t self:fifo_file rw_fifo_file_perms;
+allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
+
+domain_use_interactive_fds(mcollective_t)
+
diff --git a/mediawiki.if b/mediawiki.if
index 9771b4b..1c1d012 100644
--- a/mediawiki.if
+++ b/mediawiki.if
@@ -1 +1,40 @@
-## Open source wiki package written in PHP.
+## Mediawiki policy
+
+#######################################
+##
+## Allow the specified domain to read
+## mediawiki tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mediawiki_read_tmp_files',`
+ gen_require(`
+ type httpd_mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
+
+#######################################
+##
+## Delete mediawiki tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
+ type httpd_mediawiki_tmp_t;
+ ')
+
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/mediawiki.te b/mediawiki.te
index c528b9f..212712c 100644
--- a/mediawiki.te
+++ b/mediawiki.te
@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0)
# Declarations
#
-apache_content_template(mediawiki)
+optional_policy(`
+
+ apache_content_template(mediawiki)
########################################
#
# Local policy
#
-files_search_var_lib(httpd_mediawiki_script_t)
+ files_search_var_lib(httpd_mediawiki_script_t)
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+ miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+')
diff --git a/memcached.if b/memcached.if
index 1d4eb19..650014e 100644
--- a/memcached.if
+++ b/memcached.if
@@ -1,4 +1,4 @@
-## High-performance memory object caching system.
+## high-performance memory object caching system
########################################
##
@@ -12,17 +12,16 @@
#
interface(`memcached_domtrans',`
gen_require(`
- type memcached_t,memcached_exec_t;
+ type memcached_t;
+ type memcached_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, memcached_exec_t, memcached_t)
')
########################################
##
-## Create, read, write, and delete
-## memcached pid files.
+## Read memcached PID files.
##
##
##
@@ -30,18 +29,18 @@ interface(`memcached_domtrans',`
##
##
#
-interface(`memcached_manage_pid_files',`
+interface(`memcached_read_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
+ allow $1 memcached_var_run_t:file read_file_perms;
')
########################################
##
-## Read memcached pid files.
+## Manage memcached PID files
##
##
##
@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',`
##
##
#
-interface(`memcached_read_pid_files',`
+interface(`memcached_manage_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
- allow $1 memcached_var_run_t:file read_file_perms;
+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
')
########################################
##
-## Connect to memcached using a unix
-## domain stream socket.
+## Connect to memcached over a unix stream socket.
##
##
##
@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',`
########################################
##
-## Connect to memcache over the network.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`memcached_tcp_connect',`
- gen_require(`
- type memcached_t;
- ')
-
- corenet_sendrecv_memcache_client_packets($1)
- corenet_tcp_connect_memcache_port($1)
- corenet_tcp_recvfrom_labeled($1, memcached_t)
- corenet_tcp_sendrecv_memcache_port($1)
-')
-
-########################################
-##
-## All of the rules required to
-## administrate an memcached environment.
+## All of the rules required to administrate
+## an memcached environment
##
##
##
@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the memcached domain.
##
##
##
@@ -121,14 +98,17 @@ interface(`memcached_admin',`
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
- allow $1 memcached_t:process { ptrace signal_perms };
+ allow $1 memcached_t:process signal_perms;
ps_process_pattern($1, memcached_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 memcached_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
index 29b7521..68ec663 100644
--- a/memcached.te
+++ b/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setuid setgid sys_resource };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
index 89409eb..67e42f6 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,18 +1,29 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index cba62db..562833a 100644
--- a/milter.if
+++ b/milter.if
@@ -1,47 +1,43 @@
-## Milter mail filters.
+## Milter mail filters
-#######################################
+########################################
##
-## The template to define a milter domain.
+## Create a set of derived types for various
+## mail filter applications using the milter interface.
##
-##
+##
##
-## Domain prefix to be used.
+## The name to be used for deriving type names.
##
##
#
template(`milter_template',`
+ # attributes common to all milters
gen_require(`
attribute milter_data_type, milter_domains;
')
- ########################################
- #
- # Declarations
- #
-
type $1_milter_t, milter_domains;
type $1_milter_exec_t;
init_daemon_domain($1_milter_t, $1_milter_exec_t)
+ role system_r types $1_milter_t;
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
files_pid_file($1_milter_data_t)
- ########################################
- #
- # Policy
- #
+ # Allow communication with MTA over a unix-domain socket
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+ # Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- auth_use_nsswitch($1_milter_t)
+ logging_send_syslog_msg($1_milter_t)
')
########################################
##
-## connect to all milter domains using
-## a unix domain stream socket.
+## MTA communication with milter sockets
##
##
##
@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
')
files_search_pids($1)
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
########################################
##
-## Get attributes of all milter sock files.
+## Allow getattr of milter sockets
##
##
##
@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
attribute milter_data_type;
')
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
########################################
##
-## Create, read, write, and delete
-## spamassissin milter data content.
+## Allow setattr of milter dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_setattr_all_dirs',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+##
+## Manage spamassassin milter state
##
##
##
@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+#######################################
+##
+## Delete dkim-milter PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_delete_dkim_pid_files',`
+ gen_require(`
+ type dkim_milter_data_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
index 4dc99f4..22dbcb9 100644
--- a/milter.te
+++ b/milter.te
@@ -5,73 +5,113 @@ policy_module(milter, 1.5.0)
# Declarations
#
+# attributes common to all milters
attribute milter_domains;
attribute milter_data_type;
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+type dkim_milter_tmp_t;
+files_tmp_file(dkim_milter_tmp_t)
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
milter_template(spamass)
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
+
#######################################
#
-# Common local policy
+# milter domains local policy
#
+# Allow communication with MTA over a unix-domain socket
+# Note: usage with TCP sockets requires additional policy
+
allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
+
+# Allow communication with MTA over a TCP socket
+allow milter_domains self:tcp_socket create_stream_socket_perms;
kernel_dontaudit_read_system_state(milter_domains)
-corenet_all_recvfrom_unlabeled(milter_domains)
-corenet_all_recvfrom_netlabel(milter_domains)
-corenet_tcp_sendrecv_generic_if(milter_domains)
-corenet_tcp_sendrecv_generic_node(milter_domains)
corenet_tcp_bind_generic_node(milter_domains)
-
corenet_tcp_bind_milter_port(milter_domains)
-corenet_tcp_sendrecv_all_ports(milter_domains)
-miscfiles_read_localization(milter_domains)
+dev_read_rand(milter_domains)
+dev_read_urand(milter_domains)
+
+mta_read_config(milter_domains)
+
+sysnet_read_config(greylist_milter_t)
+
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
########################################
#
-# greylist local policy
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
#
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
+# It creates a pid file /var/run/milter-greylist.pid
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
kernel_read_kernel_sysctls(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t)
-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t)
-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)
-
-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
-corenet_tcp_bind_kismet_port(greylist_milter_t)
-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
-
corecmd_exec_bin(greylist_milter_t)
corecmd_exec_shell(greylist_milter_t)
-dev_read_rand(greylist_milter_t)
-dev_read_urand(greylist_milter_t)
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
-files_read_usr_files(greylist_milter_t)
+# perl getgroups() reads a bunch of files in /etc
+# Allow the milter to read a GeoIP database in /usr/share
+# The milter runs from /var/lib/milter-greylist and maintains files there
files_search_var_lib(greylist_milter_t)
-mta_read_config(greylist_milter_t)
-
-miscfiles_read_localization(greylist_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
optional_policy(`
mysql_stream_connect(greylist_milter_t)
@@ -79,30 +119,45 @@ optional_policy(`
########################################
#
-# regex local policy
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
#
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
allow regex_milter_t self:capability { setuid setgid dac_override };
+# The milter's socket directory lives under /var/spool
files_search_spool(regex_milter_t)
-mta_read_config(regex_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
########################################
#
-# spamass local policy
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
#
+# The milter runs from /var/lib/spamass-milter
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
kernel_read_system_state(spamass_milter_t)
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
-files_search_var_lib(spamass_milter_t)
+auth_use_nsswitch(spamass_milter_t)
mta_send_mail(spamass_milter_t)
+# The main job of the milter is to pipe spam through spamc and act on the result
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/minissdpd.if b/minissdpd.if
index b330161..5450937 100644
--- a/minissdpd.if
+++ b/minissdpd.if
@@ -39,10 +39,10 @@ interface(`minissdpd_read_config',`
interface(`minissdpd_admin',`
gen_require(`
type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
- type minissdpd_var_run_t
+ type minissdpd_var_run_t;
')
- allow $1 minissdpd_t:process { ptrace signal_perms };
+ allow $1 minissdpd_t:process { signal_perms };
ps_process_pattern($1, minissdpd_t)
init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
diff --git a/mip6d.fc b/mip6d.fc
new file mode 100644
index 0000000..767bbad
--- /dev/null
+++ b/mip6d.fc
@@ -0,0 +1,3 @@
+/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0)
+
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
index 0000000..9e2bf1b
--- /dev/null
+++ b/mip6d.if
@@ -0,0 +1,80 @@
+
+## Mobile IPv6 and NEMO Basic Support implementation
+
+########################################
+##
+## Execute TEMPLATE in the mip6d domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mip6d_domtrans',`
+ gen_require(`
+ type mip6d_t, mip6d_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mip6d_exec_t, mip6d_t)
+')
+########################################
+##
+## Execute mip6d server in the mip6d domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mip6d_systemctl',`
+ gen_require(`
+ type mip6d_t;
+ type mip6d_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mip6d_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an mip6d environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`mip6d_admin',`
+ gen_require(`
+ type mip6d_t;
+ type mip6d_unit_file_t;
+ ')
+
+ allow $1 mip6d_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mip6d_t)
+
+ mip6d_systemctl($1)
+ admin_pattern($1, mip6d_unit_file_t)
+ allow $1 mip6d_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/mip6d.te b/mip6d.te
new file mode 100644
index 0000000..1d34063
--- /dev/null
+++ b/mip6d.te
@@ -0,0 +1,33 @@
+policy_module(mip6d, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mip6d_t;
+type mip6d_exec_t;
+init_daemon_domain(mip6d_t, mip6d_exec_t)
+
+type mip6d_unit_file_t;
+systemd_unit_file(mip6d_unit_file_t)
+
+########################################
+#
+# mip6d local policy
+#
+allow mip6d_t self:capability { net_admin net_raw };
+allow mip6d_t self:process { fork signal };
+allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
+allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow mip6d_t self:rawip_socket create_socket_perms;
+allow mip6d_t self:udp_socket create_socket_perms;
+allow mip6d_t self:fifo_file rw_fifo_file_perms;
+allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_rw_net_sysctls(mip6d_t)
+kernel_read_network_state(mip6d_t)
+kernel_request_load_module(mip6d_t)
+
+logging_send_syslog_msg(mip6d_t)
+
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
--- /dev/null
+++ b/mock.fc
@@ -0,0 +1,5 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
index 0000000..6568bfe
--- /dev/null
+++ b/mock.if
@@ -0,0 +1,310 @@
+## policy for mock
+
+########################################
+##
+## Execute a domain transition to run mock.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mock_domtrans',`
+ gen_require(`
+ type mock_t, mock_exec_t;
+ ')
+
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+########################################
+##
+## Search mock lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_search_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_read_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Getattr on mock lib file,dir,sock_file ...
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_getattr_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir_file_class_set getattr;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Manage mock lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_dirs',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+##
+## Manage mock lib symlinks.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_symlinks',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Manage mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_manage_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+##
+## Manage mock lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_dontaudit_write_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ dontaudit $1 mock_var_lib_t:chr_file write;
+')
+
+#######################################
+##
+## Dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mock_dontaudit_leaks',`
+ gen_require(`
+ type mock_tmp_t;
+ ')
+
+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Execute mock in the mock domain, and
+## allow the specified role the mock domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the mock domain.
+##
+##
+##
+#
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
+ type mock_build_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
+ role $2 types mock_build_t;
+
+ mount_run(mock_t, $2)
+')
+
+########################################
+##
+## Role access for mock
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+##
+#
+interface(`mock_role',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ role $1 types mock_t;
+
+ mock_run($2, $1)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
+
+ optional_policy(`
+ mock_read_lib_files($2)
+ ')
+')
+
+#######################################
+##
+## Send a generic signal to mock.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_signal',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ allow $1 mock_t:process signal;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an mock environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t, mock_var_lib_t;
+ type mock_build_t, mock_etc_t, mock_tmp_t;
+ ')
+
+ allow $1 mock_t:process signal_perms;
+ ps_process_pattern($1, mock_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mock_t:process ptrace;
+ allow $1 mock_build_t:process ptrace;
+ ')
+
+ allow $1 mock_build_t:process signal_perms;
+ ps_process_pattern($1, mock_build_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, mock_tmp_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mock_etc_t)
+')
diff --git a/mock.te b/mock.te
new file mode 100644
index 0000000..7245033
--- /dev/null
+++ b/mock.te
@@ -0,0 +1,273 @@
+policy_module(mock,1.0.0)
+
+##
+##
+## Allow mock to read files in home directories.
+##
+##
+gen_tunable(mock_enable_homedirs, false)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+type mock_build_t;
+type mock_build_exec_t;
+application_domain(mock_build_t, mock_build_exec_t)
+role system_r types mock_build_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+type mock_var_run_t;
+files_pid_file(mock_var_run_t)
+
+type mock_etc_t;
+files_config_file(mock_etc_t)
+
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+allow mock_t mock_var_lib_t:dir mounton;
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
+manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
+
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
+# we run mount in mock_t
+kernel_mount_proc(mock_t)
+kernel_unmount_proc(mock_t)
+
+fs_mount_tmpfs(mock_t)
+fs_unmount_tmpfs(mock_t)
+fs_unmount_xattr_fs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_git_port(mock_t)
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_rw_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
+dev_mount_sysfs_fs(mock_t)
+dev_unmount_sysfs_fs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_runtime_files(mock_t)
+files_dontaudit_list_boot(mock_t)
+files_list_isid_type_dirs(mock_t)
+
+fs_getattr_all_fs(mock_t)
+fs_manage_cgroup_dirs(mock_t)
+fs_search_all(mock_t)
+fs_setattr_tmpfs_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+init_dontaudit_stream_connect(mock_t)
+
+libs_exec_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+userdom_use_user_ptys(mock_t)
+
+files_search_home(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_manage_user_home_content_dirs(mock_t)
+ userdom_manage_user_home_content_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
+ rpc_search_nfs_state_data(mock_t)
+ fs_list_auto_mountpoints(mock_t)
+ fs_manage_nfs_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mock_t)
+ fs_read_cifs_files(mock_t)
+ fs_manage_cifs_files(mock_t)
+')
+
+optional_policy(`
+ abrt_read_spool_retrace(mock_t)
+ abrt_read_cache_retrace(mock_t)
+ abrt_stream_connect(mock_t)
+')
+
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
+
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_cache(mock_t)
+ rpm_manage_db(mock_t)
+ rpm_manage_tmp_files(mock_t)
+ rpm_read_log(mock_t)
+')
+
+optional_policy(`
+ mount_exec(mock_t)
+ mount_rw_pid_files(mock_t)
+')
+
+
+########################################
+#
+# mock_build local policy
+#
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+# Needed because mock can run java and mono withing build environment
+allow mock_build_t self:process { execmem execstack };
+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
+allow mock_build_t self:fifo_file manage_fifo_file_perms;
+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_build_t self:unix_dgram_socket create_socket_perms;
+allow mock_build_t self:dir list_dir_perms;
+allow mock_build_t self:dir read_file_perms;
+
+ps_process_pattern(mock_t, mock_build_t)
+allow mock_t mock_build_t:process signal_perms;
+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_tmp_t)
+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_var_lib_t)
+
+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
+can_exec(mock_build_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
+can_exec(mock_build_t, mock_var_lib_t)
+allow mock_build_t mock_var_lib_t:dir mounton;
+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
+
+kernel_list_proc(mock_build_t)
+kernel_read_irq_sysctls(mock_build_t)
+kernel_read_system_state(mock_build_t)
+kernel_read_network_state(mock_build_t)
+kernel_read_kernel_sysctls(mock_build_t)
+kernel_request_load_module(mock_build_t)
+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
+
+corecmd_exec_bin(mock_build_t)
+corecmd_exec_shell(mock_build_t)
+corecmd_dontaudit_exec_all_executables(mock_build_t)
+
+dev_getattr_all_chr_files(mock_build_t)
+dev_dontaudit_list_all_dev_nodes(mock_build_t)
+dev_dontaudit_getattr_all(mock_build_t)
+fs_getattr_all_dirs(mock_build_t)
+dev_read_sysfs(mock_build_t)
+
+domain_dontaudit_read_all_domains_state(mock_build_t)
+domain_use_interactive_fds(mock_build_t)
+
+files_dontaudit_list_boot(mock_build_t)
+
+fs_getattr_all_fs(mock_build_t)
+fs_manage_cgroup_dirs(mock_build_t)
+
+selinux_get_enforce_mode(mock_build_t)
+
+auth_use_nsswitch(mock_build_t)
+
+init_exec(mock_build_t)
+init_dontaudit_stream_connect(mock_build_t)
+
+libs_exec_ldconfig(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.fc b/modemmanager.fc
index a83894c..481dca3 100644
--- a/modemmanager.fc
+++ b/modemmanager.fc
@@ -1 +1,4 @@
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
index b1ac8b5..9b22bea 100644
--- a/modemmanager.if
+++ b/modemmanager.if
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
########################################
##
+## Execute modemmanager server in the modemmanager domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modemmanager_systemctl',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, modemmanager_t)
+')
+
+########################################
+##
## Send and receive messages from
## modemmanager over dbus.
##
@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',`
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an modemmanager environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`modemmanager_admin',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ allow $1 modemmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, modemmanager_t)
+
+ modemmanager_systemctl($1)
+ admin_pattern($1, modemmanager_unit_file_t)
+ allow $1 modemmanager_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
index d15eb5b..a0dae5e 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
+type modemmanager_unit_file_t;
+systemd_unit_file(modemmanager_unit_file_t)
+
########################################
#
# Local policy
@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
dev_read_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
-files_read_etc_files(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
-miscfiles_read_localization(modemmanager_t)
+xserver_read_state_xdm(modemmanager_t)
logging_send_syslog_msg(modemmanager_t)
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4..b19a6ee 100644
--- a/mojomojo.if
+++ b/mojomojo.if
@@ -15,7 +15,6 @@
## Role allowed access.
##
##
-##
#
interface(`mojomojo_admin',`
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
index b94102e..9556487 100644
--- a/mojomojo.te
+++ b/mojomojo.te
@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.1.0)
# Declarations
#
-apache_content_template(mojomojo)
+type httpd_mojomojo_tmp_t;
+files_tmp_file(httpd_mojomojo_tmp_t)
########################################
#
# Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+optional_policy(`
+ apache_content_template(mojomojo)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
-files_search_var_lib(httpd_mojomojo_script_t)
+ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
+ files_search_var_lib(httpd_mojomojo_script_t)
+
+ sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+
+ mta_send_mail(httpd_mojomojo_script_t)
+
+ optional_policy(`
+ mysql_stream_connect(httpd_mojomojo_script_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_mojomojo_script_t)
+ ')
+')
diff --git a/mongodb.te b/mongodb.te
index 169f236..9faddc2 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
corenet_tcp_bind_generic_node(mongod_t)
dev_read_sysfs(mongod_t)
dev_read_urand(mongod_t)
-files_read_etc_files(mongod_t)
-
fs_getattr_all_fs(mongod_t)
-miscfiles_read_localization(mongod_t)
diff --git a/mono.te b/mono.te
index a6a8643..c0f6cf5 100644
--- a/mono.te
+++ b/mono.te
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
# local policy
#
-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(mono_t)
init_dbus_chat_script(mono_t)
diff --git a/monop.if b/monop.if
index 8fdaece..5440757 100644
--- a/monop.if
+++ b/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ logging_search_logs($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
diff --git a/monop.te b/monop.te
index 5f93763..8596763 100644
--- a/monop.te
+++ b/monop.te
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_all_recvfrom_unlabeled(monopd_t)
corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_tcp_sendrecv_generic_node(monopd_t)
@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t)
domain_use_interactive_fds(monopd_t)
-files_read_etc_files(monopd_t)
-
fs_getattr_all_fs(monopd_t)
fs_search_auto_mountpoints(monopd_t)
logging_send_syslog_msg(monopd_t)
-miscfiles_read_localization(monopd_t)
-
sysnet_dns_name_resolve(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/motion.fc b/motion.fc
new file mode 100644
index 0000000..7415106
--- /dev/null
+++ b/motion.fc
@@ -0,0 +1,9 @@
+/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0)
+
+/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0)
+
+/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0)
+
+/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0)
+
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
index 0000000..1b1b04c
--- /dev/null
+++ b/motion.if
@@ -0,0 +1,193 @@
+
+## Detect motion using a video4linux device
+
+########################################
+##
+## Execute TEMPLATE in the motion domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`motion_domtrans',`
+ gen_require(`
+ type motion_t, motion_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, motion_exec_t, motion_t)
+')
+########################################
+##
+## Read motion's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`motion_read_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+##
+## Append to motion log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_append_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+##
+## Manage motion log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_manage_log',`
+ gen_require(`
+ type motion_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, motion_log_t, motion_log_t)
+ manage_files_pattern($1, motion_log_t, motion_log_t)
+ manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+##
+## Manage motion pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_manage_pid',`
+ gen_require(`
+ type motion_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
+ manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
+')
+
+########################################
+##
+## Manage motion data files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`motion_manage_data',`
+ gen_require(`
+ type motion_data_t;
+ ')
+
+ manage_dirs_pattern($1, motion_data_t, motion_data_t)
+ manage_files_pattern($1, motion_data_t, motion_data_t)
+')
+
+########################################
+##
+## Execute motion server in the motion domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`motion_systemctl',`
+ gen_require(`
+ type motion_t;
+ type motion_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, motion_t)
+')
+
+########################################
+##
+## Manage all motion files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`motion_manage_all_files',`
+
+ motion_manage_log($1)
+ motion_manage_pid($1)
+ motion_manage_data($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an motion environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`motion_admin',`
+ gen_require(`
+ type motion_t;
+ type motion_log_t;
+ type motion_unit_file_t;
+ ')
+
+ allow $1 motion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, motion_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, motion_log_t)
+
+ motion_systemctl($1)
+ admin_pattern($1, motion_unit_file_t)
+ allow $1 motion_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/motion.te b/motion.te
new file mode 100644
index 0000000..b694afc
--- /dev/null
+++ b/motion.te
@@ -0,0 +1,64 @@
+policy_module(motion, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type motion_t;
+type motion_exec_t;
+init_daemon_domain(motion_t, motion_exec_t)
+
+type motion_log_t;
+logging_log_file(motion_log_t)
+
+type motion_unit_file_t;
+systemd_unit_file(motion_unit_file_t)
+
+type motion_var_run_t;
+files_pid_file(motion_var_run_t)
+
+type motion_data_t;
+files_type(motion_data_t)
+
+########################################
+#
+# motion local policy
+#
+allow motion_t self:udp_socket { create connect getattr };
+allow motion_t self:tcp_socket { bind create setopt listen };
+allow motion_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
+manage_files_pattern(motion_t, motion_log_t, motion_log_t)
+logging_log_filetrans(motion_t, motion_log_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+files_pid_filetrans(motion_t, motion_var_run_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_data_t, motion_data_t)
+manage_files_pattern(motion_t, motion_data_t, motion_data_t)
+files_var_filetrans(motion_t, motion_data_t, { dir file })
+
+corenet_tcp_bind_http_cache_port(motion_t)
+corenet_tcp_bind_transproxy_port(motion_t)
+corenet_tcp_connect_http_port(motion_t)
+corenet_tcp_bind_generic_node(motion_t)
+
+dev_read_video_dev(motion_t)
+dev_write_video_dev(motion_t)
+
+domain_use_interactive_fds(motion_t)
+
+logging_send_syslog_msg(motion_t)
+
+sysnet_read_config(motion_t)
+
+userdom_home_manager(motion_t)
+
+optional_policy(`
+ zoneminder_domtrans(motion_t)
+ zoneminder_manage_lib_files(motion_t)
+')
+
diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2..cb1e8b0 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,67 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-
-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-
-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+#
+# /bin
+#
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+')
+
+ifdef(`distro_debian',`
+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+')
+
+#
+# /lib
+#
+
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b80..7fbb9e7 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
-## Policy for Mozilla and related web browsers.
+## Policy for Mozilla and related web browsers
########################################
##
-## Role access for mozilla.
+## Role access for mozilla
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
attribute_role mozilla_roles;
')
- ########################################
- #
- # Declarations
- #
-
roleattribute $1 mozilla_roles;
- ########################################
- #
- # Policy
- #
-
- domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+ allow mozilla_t $2:fd use;
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+ # Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
-
- allow mozilla_t $2:process signull;
- allow mozilla_t $2:unix_stream_socket connectto;
+ allow $2 mozilla_t:process signal_perms;
allow $2 mozilla_t:fd use;
- allow $2 mozilla_t:shm rw_shm_perms;
-
- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
+ allow $2 mozilla_t:shm { associate getattr };
+ allow $2 mozilla_t:shm { unix_read unix_write };
+ allow $2 mozilla_t:unix_stream_socket connectto;
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+ # X access, Home files
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ #should be remove then with adding of roleattribute
+ mozilla_run_plugin(mozilla_t, $1)
+ mozilla_dbus_chat($2)
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, mozilla_t)
optional_policy(`
- mozilla_dbus_chat($2)
+ nsplugin_role($1, mozilla_t)
')
-')
-########################################
-##
-## Role access for mozilla plugin.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-interface(`mozilla_role_plugin',`
- gen_require(`
- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
- type mozilla_home_t;
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
+ pulseaudio_filetrans_home_content(mozilla_t)
')
- mozilla_run_plugin($2, $1)
- mozilla_run_plugin_config($2, $1)
-
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
-
- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
- allow $2 mozilla_plugin_t:fd use;
-
- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
- allow mozilla_plugin_t $2:process signull;
- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
- allow mozilla_plugin_t $2:sem create_sem_perms;
-
- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+ mozilla_filetrans_home_content($2)
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
')
########################################
##
-## Read mozilla home directory content.
+## Read mozilla home directory content
##
##
##
@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',`
type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Write mozilla home directory files.
+## Write mozilla home directory content
##
##
##
@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',`
type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Do not audit attempts to read and
-## write mozilla home directory files.
+## Dontaudit attempts to read/write mozilla home directory content
##
##
##
@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
- dontaudit $1 mozilla_home_t:file rw_file_perms;
+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
')
########################################
##
-## Do not audit attempt to Create,
-## read, write, and delete mozilla
-## home directory content.
+## Dontaudit attempts to write mozilla home directory content
##
##
##
@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
dontaudit $1 mozilla_home_t:file manage_file_perms;
- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
')
########################################
##
-## Execute mozilla home directory files. (Deprecated)
+## Execute mozilla home directory content.
##
##
##
@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
##
#
interface(`mozilla_exec_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
- mozilla_exec_user_plugin_home_files($1)
-')
-
-########################################
-##
-## Execute mozilla plugin home directory files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mozilla_exec_user_plugin_home_files',`
gen_require(`
- type mozilla_home_t, mozilla_plugin_home_t;
+ type mozilla_home_t;
')
- userdom_search_user_home_dirs($1)
- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+ can_exec($1, mozilla_home_t)
')
########################################
##
-## Mozilla home directory file
-## text relocation. (Deprecated)
+## Execmod mozilla home directory content.
##
##
##
@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
##
#
interface(`mozilla_execmod_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
- mozilla_execmod_user_plugin_home_files($1)
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
')
########################################
##
-## Mozilla plugin home directory file
-## text relocation.
+## Run mozilla in the mozilla domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`mozilla_execmod_user_plugin_home_files',`
+interface(`mozilla_domtrans',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_t, mozilla_exec_t;
')
- allow $1 mozilla_plugin_home_t:file execmod;
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
##
-## Run mozilla in the mozilla domain.
+## Execute a mozilla_exec_t in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
+##
+##
+## The type of the new process.
+##
+##
#
-interface(`mozilla_domtrans',`
+interface(`mozilla_domtrans_spec',`
gen_require(`
- type mozilla_t, mozilla_exec_t;
+ type mozilla_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+ domain_entry_file($2, mozilla_exec_t)
+ domtrans_pattern($1, mozilla_exec_t, $2)
')
########################################
##
-## Execute a domain transition to
-## run mozilla plugin.
+## Execute a domain transition to run mozilla_plugin.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ type mozilla_plugin_rw_t;
+ class dbus send_msg;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
+ dontaudit mozilla_plugin_t $1:process signal;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process signal_perms;
+
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
+
+ allow $1 mozilla_plugin_t:dbus send_msg;
+ allow mozilla_plugin_t $1:dbus send_msg;
+
+ allow mozilla_plugin_t $1:process signull;
')
########################################
##
-## Execute mozilla plugin in the
-## mozilla plugin domain, and allow
-## the specified role the mozilla
-## plugin domain.
+## Execute mozilla_plugin in the mozilla_plugin domain, and
+## allow the specified role the mozilla_plugin domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access
##
##
##
##
-## Role allowed access.
+## The role to be allowed the mozilla_plugin domain.
##
##
#
interface(`mozilla_run_plugin',`
gen_require(`
- attribute_role mozilla_plugin_roles;
+ type mozilla_plugin_t;
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
')
mozilla_domtrans_plugin($1)
roleattribute $2 mozilla_plugin_roles;
-')
+ roleattribute $2 mozilla_plugin_config_roles;
-########################################
-##
-## Execute a domain transition to
-## run mozilla plugin config.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`mozilla_domtrans_plugin_config',`
- gen_require(`
- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mozilla_plugin_t:process ptrace;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ optional_policy(`
+ lpd_run_lpr(mozilla_plugin_t, $2)
+ ')
')
-########################################
+#######################################
##
-## Execute mozilla plugin config in
-## the mozilla plugin config domain,
-## and allow the specified role the
-## mozilla plugin config domain.
+## Execute qemu unconfined programs in the role.
##
-##
-##
-## Domain allowed to transition.
-##
-##
##
-##
-## Role allowed access.
-##
+##
+## The role to allow the mozilla_plugin domain.
+##
##
+##
#
-interface(`mozilla_run_plugin_config',`
- gen_require(`
- attribute_role mozilla_plugin_config_roles;
- ')
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
+ ')
- mozilla_domtrans_plugin_config($1)
- roleattribute $2 mozilla_plugin_config_roles;
+ roleattribute $1 mozilla_plugin_roles;
+ roleattribute $1 mozilla_plugin_config_roles;
')
########################################
@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
-## Send and receive messages from
-## mozilla plugin over dbus.
+## read/write mozilla per user tcp_socket
##
##
##
@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
##
##
#
-interface(`mozilla_dbus_chat_plugin',`
+interface(`mozilla_rw_tcp_sockets',`
gen_require(`
- type mozilla_plugin_t;
- class dbus send_msg;
+ type mozilla_t;
')
- allow $1 mozilla_plugin_t:dbus send_msg;
- allow mozilla_plugin_t $1:dbus send_msg;
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
-########################################
+#######################################
##
-## Read and write mozilla TCP sockets.
+## Read mozilla_plugin tmpfs files
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access
+##
##
#
-interface(`mozilla_rw_tcp_sockets',`
- gen_require(`
- type mozilla_t;
- ')
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+##
+## Read/Write mozilla_plugin tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`mozilla_plugin_rw_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
')
########################################
##
-## Create, read, write, and delete
-## mozilla plugin rw files.
+## Delete mozilla_plugin tmpfs files
##
##
##
-## Domain allowed access.
+## Domain allowed access
##
##
#
-interface(`mozilla_manage_plugin_rw_files',`
+interface(`mozilla_plugin_delete_tmpfs_files',`
gen_require(`
- type mozilla_plugin_rw_t;
+ type mozilla_plugin_tmpfs_t;
')
- libs_search_lib($1)
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+#######################################
+##
+## Dontaudit generict ipc read/write to a mozilla_plugin
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_plugin_dontaudit_rw_sem',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
')
########################################
##
-## Read mozilla_plugin tmpfs files.
+## Dontaudit read/write to a mozilla_plugin leaks
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`mozilla_plugin_read_tmpfs_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
')
- fs_search_tmpfs($1)
- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
+#######################################
+##
+## Dontaudit read/write to a mozilla_plugin tmp files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type mozilla_plugin_tmp_t;
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
')
########################################
##
-## Delete mozilla_plugin tmpfs files.
+## Create, read, write, and delete
+## mozilla_plugin rw files.
##
##
##
@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_manage_rw_files',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_rw_t;
')
- fs_search_tmpfs($1)
- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
')
########################################
##
-## Create, read, write, and delete
-## generic mozilla plugin home content.
+## read mozilla_plugin rw files.
##
##
##
@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
-interface(`mozilla_manage_generic_plugin_home_content',`
+interface(`mozilla_plugin_read_rw_files',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_plugin_rw_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
- allow $1 mozilla_plugin_home_t:file manage_file_perms;
- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
')
########################################
##
-## Create objects in user home
-## directories with the generic mozilla
-## plugin home type.
+## Create mozilla content in the user home directory
+## with an correct label.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`mozilla_home_filetrans_plugin_home',`
+interface(`mozilla_filetrans_home_content',`
+
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_home_t;
')
- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+ optional_policy(`
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+ ')
')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4..5c6fae9 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
#
##
-##
-## Determine whether mozilla can
-## make its stack executable.
-##
+##
+## Allow mozilla plugin domain to connect to the network using TCP.
+##
##
-gen_tunable(mozilla_execstack, false)
+gen_tunable(mozilla_plugin_can_network_connect, false)
+
+##
+##
+## Allow mozilla plugin to support spice protocols.
+##
+##
+gen_tunable(mozilla_plugin_use_spice, false)
+
+##
+##
+## Allow mozilla plugin to support GPS.
+##
+##
+gen_tunable(mozilla_plugin_use_gps, false)
+
+##
+##
+## Allow confined web browsers to read home directory content
+##
+##
+gen_tunable(mozilla_read_content, false)
attribute_role mozilla_roles;
attribute_role mozilla_plugin_roles;
attribute_role mozilla_plugin_config_roles;
+roleattribute system_r mozilla_roles;
+roleattribute system_r mozilla_plugin_roles;
+roleattribute system_r mozilla_plugin_config_roles;
+
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role mozilla_plugin_roles types mozilla_plugin_t;
-type mozilla_plugin_home_t;
-userdom_user_home_content(mozilla_plugin_home_t)
-
type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
userdom_user_tmp_file(mozilla_plugin_tmp_t)
type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
-')
-
type mozilla_plugin_rw_t;
files_type(mozilla_plugin_rw_t)
type mozilla_plugin_config_t;
type mozilla_plugin_config_exec_t;
-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+role mozilla_roles types mozilla_plugin_config_t;
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(mozilla_tmpfs_t)
-')
-
########################################
#
# Local policy
@@ -75,27 +94,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_t self:shm create_shm_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
allow mozilla_t self:sem create_sem_perms;
allow mozilla_t self:socket create_socket_perms;
-allow mozilla_t self:unix_stream_socket { accept listen };
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
-allow mozilla_t mozilla_plugin_t:fd use;
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+# mozilla will manage user_tmp_t, so it will transition to it.
+#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
-
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
kernel_read_system_state(mozilla_t)
kernel_read_net_sysctls(mozilla_t)
+# Look for plugins
corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)
-corenet_all_recvfrom_unlabeled(mozilla_t)
+# Browse the web, connect to printer
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
corenet_tcp_sendrecv_generic_node(mozilla_t)
-
-corenet_sendrecv_http_client_packets(mozilla_t)
-corenet_tcp_connect_http_port(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_t)
-corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_t)
-corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_t)
-corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_t)
-corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_tcp_connect_speech_port(mozilla_t)
-corenet_tcp_sendrecv_speech_port(mozilla_t)
-dev_getattr_sysfs_dirs(mozilla_t)
-dev_read_sound(mozilla_t)
-dev_read_rand(mozilla_t)
dev_read_urand(mozilla_t)
-dev_rw_dri(mozilla_t)
+dev_read_rand(mozilla_t)
dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
-files_read_usr_files(mozilla_t)
-files_read_var_files(mozilla_t)
+# /var/lib
files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
files_read_var_symlinks(mozilla_t)
files_dontaudit_getattr_boot_dirs(mozilla_t)
-fs_getattr_all_fs(mozilla_t)
+fs_dontaudit_getattr_all_fs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
-fs_rw_tmpfs_files(mozilla_t)
+fs_rw_inherited_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_t)
- fs_read_dos_files(mozilla_t)
-
- fs_search_removable(mozilla_t)
- fs_read_removable_files(mozilla_t)
- fs_read_removable_symlinks(mozilla_t)
-
- fs_read_iso9660_files(mozilla_t)
+tunable_policy(`selinuxuser_execstack',`
+ allow mozilla_t self:process execstack;
')
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
allow mozilla_t self:process execmem;
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_t self:process { execmem execstack };
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_t)
- fs_manage_cifs_files(mozilla_t)
- fs_manage_cifs_symlinks(mozilla_t)
+userdom_home_manager(mozilla_t)
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_nfs_files(mozilla_t)
+ fs_read_nfs_symlinks(mozilla_t)
+
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_nfs_files(mozilla_t)
+ fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_cifs_files(mozilla_t)
+ fs_read_cifs_symlinks(mozilla_t)
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_cifs_files(mozilla_t)
+ fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp(mozilla_t)
+ userdom_read_user_tmp_files(mozilla_t)
+ userdom_read_user_tmp_symlinks(mozilla_t)
+ userdom_read_user_home_content_files(mozilla_t)
+ userdom_read_user_home_content_symlinks(mozilla_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+ ')
+',`
+ files_dontaudit_list_tmp(mozilla_t)
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_removable(mozilla_t)
+ fs_dontaudit_read_removable_files(mozilla_t)
+ userdom_dontaudit_list_user_tmp(mozilla_t)
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
')
optional_policy(`
@@ -244,19 +276,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
+ cups_dbus_chat(mozilla_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_t)
dbus_system_bus_client(mozilla_t)
-
- optional_policy(`
- cups_dbus_chat(mozilla_t)
- ')
-
- optional_policy(`
- mozilla_dbus_chat_plugin(mozilla_t)
- ')
+ dbus_session_bus_client(mozilla_t)
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
@@ -265,33 +290,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
- gnome_manage_generic_gconf_home_content(mozilla_t)
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
- gnome_manage_generic_home_content(mozilla_t)
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
+ java_domtrans(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
+ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
+ nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
')
optional_policy(`
@@ -300,259 +324,241 @@ optional_policy(`
########################################
#
-# Plugin local policy
+# mozilla_plugin local policy
#
-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
-allow mozilla_plugin_t self:tcp_socket { accept listen };
-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
-
-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
-allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
-
-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-
-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+allow mozilla_plugin_t self:msgq create_msgq_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_manage_home_texlive(mozilla_plugin_t)
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_all_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_read_network_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
+corecmd_getattr_all_executables(mozilla_plugin_t)
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
corenet_tcp_connect_squid_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_whois_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
-dev_read_generic_usb_dev(mozilla_plugin_t)
+dev_dontaudit_append_rand(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
-dev_read_realtime_clock(mozilla_plugin_t)
-dev_read_sound(mozilla_plugin_t)
-dev_read_sysfs(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
+dev_read_generic_usb_dev(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
-dev_write_sound(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
-dev_rw_dri(mozilla_plugin_t)
+dev_read_realtime_clock(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
+dev_rwx_zero(mozilla_plugin_t)
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
+xserver_dri_domain(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-files_exec_usr_files(mozilla_plugin_t)
-files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
-files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
+files_dontaudit_all_access_check(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
-
-term_getattr_all_ttys(mozilla_plugin_t)
-term_getattr_all_ptys(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
+init_read_all_script_files(mozilla_plugin_t)
+
libs_exec_ld_so(mozilla_plugin_t)
libs_exec_lib_files(mozilla_plugin_t)
+libs_legacy_use_shared_libs(mozilla_plugin_t)
logging_send_syslog_msg(mozilla_plugin_t)
-miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
+systemd_read_logind_sessions_files(mozilla_plugin_t)
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
+term_dontaudit_use_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
- fs_search_removable(mozilla_plugin_t)
- fs_read_removable_files(mozilla_plugin_t)
- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_home_manager(mozilla_plugin_t)
- fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
-')
-
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
+optional_policy(`
+ apache_list_modules(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
+ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
- alsa_read_home_files(mozilla_plugin_t)
+ cups_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
- dbus_system_bus_client(mozilla_plugin_t)
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
- gnome_manage_generic_home_content(mozilla_plugin_t)
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
optional_policy(`
java_exec(mozilla_plugin_t)
- java_manage_generic_home_content(mozilla_plugin_t)
- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
')
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_manage_generic_home_content(mozilla_plugin_t)
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_dirs(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
')
optional_policy(`
@@ -560,7 +566,7 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
@@ -568,108 +574,130 @@ optional_policy(`
')
optional_policy(`
- xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
+ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
+ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
')
########################################
#
-# Plugin config local policy
+# mozilla_plugin_config local policy
#
allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
-
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
+dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
-dev_read_urand(mozilla_plugin_config_t)
-dev_rw_dri(mozilla_plugin_config_t)
-dev_search_sysfs(mozilla_plugin_config_t)
-dev_dontaudit_read_rand(mozilla_plugin_config_t)
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
domain_use_interactive_fds(mozilla_plugin_config_t)
-files_list_tmp(mozilla_plugin_config_t)
-files_read_usr_files(mozilla_plugin_config_t)
files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
fs_getattr_all_fs(mozilla_plugin_config_t)
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
-fs_list_inotifyfs(mozilla_plugin_config_t)
+
+term_dontaudit_use_ptmx(mozilla_plugin_config_t)
auth_use_nsswitch(mozilla_plugin_config_t)
-miscfiles_read_localization(mozilla_plugin_config_t)
miscfiles_read_fonts(mozilla_plugin_config_t)
+userdom_search_user_home_content(mozilla_plugin_config_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-userdom_use_user_ptys(mozilla_plugin_config_t)
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
+')
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_config_t self:process execmem;
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_config_t)
- fs_manage_cifs_files(mozilla_plugin_config_t)
- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
+
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
+#')
+
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
-optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
-optional_policy(`
- xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..ae93e07 100644
--- a/mpd.fc
+++ b/mpd.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0)
+
/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
@@ -9,3 +11,5 @@
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
+
+/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0)
diff --git a/mpd.if b/mpd.if
index 5fa77c7..2e01c7d 100644
--- a/mpd.if
+++ b/mpd.if
@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',`
########################################
##
+## Connect to mpd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_stream_connect',`
+ gen_require(`
+ type mpd_t, mpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an mpd environment.
##
@@ -344,9 +363,13 @@ interface(`mpd_admin',`
type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
')
- allow $1 mpd_t:process { ptrace signal_perms };
+ allow $1 mpd_t:process signal_perms;
ps_process_pattern($1, mpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mpd_t:process ptrace;
+ ')
+
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
index fe72523..92632e8 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
+type mpd_home_t;
+userdom_user_home_content(mpd_home_t)
+
+type mpd_var_run_t;
+files_pid_file(mpd_var_run_t)
+
########################################
#
# Local policy
@@ -74,6 +80,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
+manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+
kernel_getattr_proc(mpd_t)
kernel_read_system_state(mpd_t)
kernel_read_kernel_sysctls(mpd_t)
corecmd_exec_bin(mpd_t)
-corenet_all_recvfrom_unlabeled(mpd_t)
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-files_read_usr_files(mpd_t)
fs_getattr_all_fs(mpd_t)
+fs_getattr_all_dirs(mpd_t)
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
-miscfiles_read_localization(mpd_t)
+userdom_home_reader(mpd_t)
tunable_policy(`mpd_enable_homedirs',`
- userdom_search_user_home_dirs(mpd_t)
+ userdom_stream_connect(mpd_t)
+ userdom_read_home_audio_files(mpd_t)
+ userdom_list_user_tmp(mpd_t)
+ userdom_read_user_tmpfs_files(mpd_t)
+ userdom_dontaudit_setattr_user_tmp(mpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`mpd_enable_homedirs',`
+ pulseaudio_read_home_files(mpd_t)
+ ')
')
tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(mpd_t)
fs_read_nfs_symlinks(mpd_t)
+
')
tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
@@ -191,7 +218,7 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_domtrans(mpd_t)
+ pulseaudio_exec(mpd_t)
')
optional_policy(`
@@ -199,6 +226,16 @@ optional_policy(`
')
optional_policy(`
+ #needed by pulseaudio
+ systemd_read_logind_sessions_files(mpd_t)
+ systemd_login_read_pid_files(mpd_t)
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
+optional_policy(`
udev_read_db(mpd_t)
')
diff --git a/mplayer.if b/mplayer.if
index 861d5e9..1c3d5a5 100644
--- a/mplayer.if
+++ b/mplayer.if
@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',`
userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
')
+
+########################################
+##
+## Create specified objects in user home
+## directories with the generic mplayer
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mplayer_filetrans_home_content',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
+')
diff --git a/mplayer.te b/mplayer.te
index 0f03cd9..e3ed393 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
## its stack executable.
##
##
-gen_tunable(allow_mplayer_execstack, false)
+gen_tunable(mplayer_execstack, false)
attribute_role mencoder_roles;
attribute_role mplayer_roles;
@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t)
dev_rwx_zero(mencoder_t)
dev_read_video_dev(mencoder_t)
-files_read_usr_files(mencoder_t)
fs_search_auto_mountpoints(mencoder_t)
@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t)
userdom_manage_user_home_content_dirs(mencoder_t)
userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+userdom_filetrans_home_content(mencoder_t)
ifndef(`enable_mls',`
fs_list_dos(mencoder_t)
@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mencoder_t)
')
-tunable_policy(`allow_execmem',`
- allow mencoder_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+ allow mencoder_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
dev_execmod_zero(mencoder_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mencoder_t self:process { execmem execstack };
')
@@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
files_read_non_security_files(mplayer_t)
files_list_home(mplayer_t)
files_read_etc_runtime_files(mplayer_t)
-files_read_usr_files(mplayer_t)
fs_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
@@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+userdom_filetrans_home_content(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
@@ -221,15 +219,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mplayer_t)
')
-tunable_policy(`allow_execmem',`
- allow mplayer_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+ allow mplayer_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
dev_execmod_zero(mplayer_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t self:process { execmem execstack };
')
@@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mplayer_t)
')
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t mplayer_tmpfs_t:file execute;
')
diff --git a/mrtg.te b/mrtg.te
index 65a246a..fa86320 100644
--- a/mrtg.te
+++ b/mrtg.te
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_generic_node(mrtg_t)
@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
files_read_etc_runtime_files(mrtg_t)
-files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
logging_send_syslog_msg(mrtg_t)
-miscfiles_read_localization(mrtg_t)
-
selinux_dontaudit_getattr_dir(mrtg_t)
-userdom_use_user_terminals(mrtg_t)
+userdom_use_inherited_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
index f42896c..cb2791a 100644
--- a/mta.fc
+++ b/mta.fc
@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-
-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index ed81cac..e3840c1 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
-## Common e-mail transfer agent policy.
+## Policy common to all email tranfer agents.
########################################
##
@@ -18,23 +18,37 @@ interface(`mta_stub',`
#######################################
##
-## The template to define a mail domain.
+## Basic mail transfer agent domain template.
##
+##
+##
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+##
+##
+## This is the basic types and rules, common
+## to the system agent and user agents.
+##
+##
##
##
-## Domain prefix to be used.
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
##
##
+##
#
template(`mta_base_mail_template',`
+
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
')
- ########################################
+ ##############################
#
- # Declarations
+ # $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
- ########################################
- #
- # Declarations
- #
-
manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+ kernel_read_system_state($1_mail_t)
+
+ corenet_all_recvfrom_netlabel($1_mail_t)
+
auth_use_nsswitch($1_mail_t)
+ logging_send_syslog_msg($1_mail_t)
+
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
########################################
##
-## Role access for mta.
+## Role access for mta
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`mta_role',`
gen_require(`
attribute mta_user_agent;
- attribute_role user_mail_roles;
- type user_mail_t, sendmail_exec_t, mail_home_t;
- type user_mail_tmp_t, mail_home_rw_t;
+ type user_mail_t, sendmail_exec_t;
')
- roleattribute $1 user_mail_roles;
-
- # this is something i need to fix
- # i dont know if and why it is needed
- # will role attribute work?
- role $1 types mta_user_agent;
+ role $1 types { user_mail_t mta_user_agent };
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
- ps_process_pattern($2, { user_mail_t mta_user_agent })
-
- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
optional_policy(`
exim_run($2, $1)
')
optional_policy(`
- mailman_run($2, $1)
+ mailman_run(mta_user_agent, $1)
')
')
@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
-#######################################
-##
-## Read mta mail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mta_read_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file read_file_perms;
-')
-
-#######################################
-##
-## Create, read, write, and delete
-## mta mail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mta_manage_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file manage_file_perms;
-')
-
-########################################
-##
-## Create specified objects in user home
-## directories with the generic mail
-## home type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`mta_home_filetrans_mail_home',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
-')
-
-#######################################
-##
-## Create, read, write, and delete
-## mta mail home rw content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`mta_manage_mail_home_rw_content',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-')
-
-########################################
+######################################
##
-## Create specified objects in user home
-## directories with the generic mail
-## home rw type.
+## Dontaudit read and write an leaked file descriptors
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`mta_home_filetrans_mail_home_rw',`
+interface(`mta_dontaudit_leaks_system_mail',`
gen_require(`
- type mail_home_rw_t;
+ type system_mail_t;
')
- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
')
########################################
@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
')
init_system_domain($1, sendmail_exec_t)
-
typeattribute $1 mailserver_domain;
')
@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
+
+ userdom_home_manager($1)
+
+ optional_policy(`
+ mta_rw_delivery_tcp_sockets($1)
+ ')
+
+ userdom_filetrans_home_content($1)
+
')
#######################################
@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
+
+ optional_policy(`
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
+ ')
')
########################################
@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
+ attribute mta_user_agent;
type system_mail_t;
attribute mta_exec_type;
')
- corecmd_search_bin($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
domtrans_pattern($1, mta_exec_type, system_mail_t)
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
')
########################################
@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
- type sendmail_exec_t;
+ attribute mta_exec_type;
+ attribute mta_user_agent;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+ files_search_usr($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Send signals to system mail.
+## Send system mail client a signal
##
##
##
@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
##
##
#
-#
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
########################################
##
-## Send kill signals to system mail.
+## Send all user mail client a signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_signal_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ allow $1 mta_user_agent:process signal;
+')
+
+########################################
+##
+## Send all user mail client a kill signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_kill_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ allow $1 mta_user_agent:process sigkill;
+')
+
+########################################
+##
+## Send system mail client a kill signal
##
##
##
@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, sendmail_exec_t)
')
########################################
##
-## Read mail server configuration content.
+## Check whether sendmail executable
+## files are executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_sendmail_access_check',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+##
+## Read mail server configuration.
##
##
##
@@ -528,13 +500,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file read_file_perms;
- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, etc_mail_t, etc_mail_t)
+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
##
-## Write mail server configuration files.
+## write mail server configuration.
##
##
##
@@ -548,33 +520,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
- files_search_etc($1)
write_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
##
-## Read mail address alias files.
+## Manage mail server configuration.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`mta_read_aliases',`
+interface(`mta_manage_config',`
gen_require(`
- type etc_aliases_t;
+ type etc_mail_t;
')
- files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
')
########################################
##
-## Create, read, write, and delete
-## mail address alias content.
+## Read mail address aliases.
##
##
##
@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
##
##
#
-interface(`mta_manage_aliases',`
+interface(`mta_read_aliases',`
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ allow $1 etc_aliases_t:file read_file_perms;
+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Create specified object in generic
-## etc directories with the mail address
-## alias type.
+## Create, read, write, and delete mail address aliases.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## The object class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`mta_etc_filetrans_aliases',`
+interface(`mta_manage_aliases',`
gen_require(`
type etc_aliases_t;
')
- files_etc_filetrans($1, etc_aliases_t, $2, $3)
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
')
########################################
##
-## Create specified objects in specified
-## directories with a type transition to
-## the mail address alias type.
+## Type transition files created in /etc
+## to the mail address aliases type.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Directory to transition on.
-##
-##
-##
-##
-## The object class of the object being created.
-##
-##
##
##
## The name of the object being created.
##
##
#
-interface(`mta_spec_filetrans_aliases',`
+interface(`mta_etc_filetrans_aliases',`
gen_require(`
type etc_aliases_t;
')
- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
+ files_etc_filetrans($1, etc_aliases_t, file, $2)
')
########################################
##
-## Read and write mail alias files.
+## Read and write mail aliases.
##
##
##
@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
- allow $1 etc_aliases_t:file rw_file_perms;
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
')
#######################################
##
-## Do not audit attempts to read
-## and write TCP sockets of mail
-## delivery domains.
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
##
##
##
@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
+######################################
+##
+## Allow attempts to read and write TCP
+## sockets of mail delivery domains.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mta_rw_delivery_tcp_sockets',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ allow $1 mailserver_delivery:tcp_socket { read write };
+')
+
#######################################
##
## Connect to all mail servers over TCP. (Deprecated)
@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
##
-## Do not audit attempts to read
-## mail spool symlinks.
+## Do not audit attempts to read a symlink
+## in the mail spool.
##
##
##
@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
##
-## Get attributes of mail spool content.
+## Get the attributes of mail spool files.
##
##
##
@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
########################################
##
-## Do not audit attempts to get
-## attributes of mail spool files.
+## Do not audit attempts to get the attributes
+## of mail spool files.
##
##
##
@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
##
-## Create specified objects in the
-## mail spool directory with a
-## private type.
+## Create private objects in the
+## mail spool directory.
##
##
##
@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
#######################################
##
-## Read mail spool files.
+## Read the mail spool.
##
##
##
@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
##
##
#
-interface(`mta_read_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
+interface(`mta_read_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
########################################
##
-## Read and write mail spool files.
+## Read and write the mail spool.
##
##
##
@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file rw_file_perms;
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
#######################################
##
-## Create, read, and write mail spool files.
+## Create, read, and write the mail spool.
##
##
##
@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ create_files_pattern($1, mail_spool_t, mail_spool_t)
+ write_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
#######################################
##
-## Delete mail spool files.
+## Delete from the mail spool.
##
##
##
@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
########################################
##
-## Create, read, write, and delete
-## mail spool content.
+## Create, read, write, and delete mail spool files.
##
##
##
@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-#######################################
-##
-## Create specified objects in the
-## mail queue spool directory with a
-## private type.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The type of the object to be created.
-##
-##
-##
-##
-## The object class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
-#
-interface(`mta_queue_filetrans',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
-')
-
########################################
##
-## Search mail queue directories.
+## Search mail queue dirs.
##
##
##
@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
#######################################
##
-## List mail queue directories.
+## List the mail queue.
##
##
##
@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
- files_search_spool($1)
allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
')
#######################################
##
-## Read mail queue files.
+## Read the mail queue.
##
##
##
@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
- files_search_spool($1)
read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ files_search_spool($1)
')
#######################################
##
## Do not audit attempts to read and
-## write mail queue content.
+## write the mail queue.
##
##
##
@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
##
## Create, read, write, and delete
-## mail queue content.
+## mail queue files.
##
##
##
@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
#######################################
##
+## Create private objects in the
+## mqueue spool directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`mta_spool_filetrans_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+')
+
+#######################################
+##
## Read sendmail binary.
##
##
@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
##
##
#
+# cjp: added for postfix
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
##
-## Read and write unix domain stream
-## sockets of all base mail domains.
+## Read and write unix domain stream sockets
+## of user mail domains.
##
##
##
@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+##
+## Type transition files created in calling dir
+## to the mail address aliases type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Directory to transition on.
+##
+##
+#
+interface(`mta_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+##
+## ALlow domain to read mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_read_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+####################################
+##
+## ALlow domain to read mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_read_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+####################################
+##
+## Allow domain to manage mail content in the homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_manage_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ userdom_search_admin_dir($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ ')
+')
+
+########################################
+##
+## create mail content in the in the /root directory
+## with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_filetrans_admin_home_content',`
+ gen_require(`
+ type mail_home_t;
+ type mail_home_rw_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
+########################################
+##
+## Transition to mta named home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_filetrans_home_content',`
+ gen_require(`
+ type mail_home_t;
+ type mail_home_rw_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
+########################################
+##
+## Transition to mta named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_filetrans_named_content',`
+ gen_require(`
+ type etc_aliases_t;
+ type etc_mail_t;
+ ')
+
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c..4bf6d3b 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
attribute user_mail_domain;
-attribute_role user_mail_roles;
-
type etc_aliases_t;
files_type(etc_aliases_t)
@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
+files_spool_file(mqueue_spool_t)
type mail_spool_t;
files_mountpoint(mail_spool_t)
+files_spool_file(mail_spool_t)
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -43,11 +43,9 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+userdom_user_application_type(user_mail_t)
userdom_user_tmp_file(user_mail_tmp_t)
########################################
@@ -79,12 +77,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
kernel_read_kernel_sysctls(user_mail_domain)
kernel_read_network_state(user_mail_domain)
kernel_request_load_module(user_mail_domain)
-corenet_all_recvfrom_netlabel(user_mail_domain)
corenet_tcp_sendrecv_generic_if(user_mail_domain)
corenet_tcp_sendrecv_generic_node(user_mail_domain)
@@ -107,10 +103,6 @@ fs_getattr_all_fs(user_mail_domain)
init_dontaudit_rw_utmp(user_mail_domain)
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(user_mail_domain)
fs_manage_cifs_files(user_mail_domain)
@@ -124,6 +116,11 @@ tunable_policy(`use_nfs_home_dirs',`
')
optional_policy(`
+ antivirus_stream_connect(user_mail_domain)
+ antivirus_stream_connect(mta_user_agent)
+')
+
+optional_policy(`
courier_manage_spool_dirs(user_mail_domain)
courier_manage_spool_files(user_mail_domain)
courier_rw_spool_pipes(user_mail_domain)
@@ -150,6 +147,11 @@ optional_policy(`
')
optional_policy(`
+ openshift_rw_inherited_content(mta_user_agent)
+ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
+optional_policy(`
procmail_exec(user_mail_domain)
')
@@ -171,52 +173,69 @@ optional_policy(`
# System local policy
#
+# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+dontaudit system_mail_t self:capability net_admin;
allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
corecmd_exec_shell(system_mail_t)
-dev_read_rand(system_mail_t)
dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
-fs_rw_anon_inodefs_files(system_mail_t)
-selinux_getattr_fs(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
+
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
-userdom_use_user_terminals(system_mail_t)
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tmp_files(system_mail_t)
+
+ apache_dontaudit_rw_fifo_file(user_mail_domain)
+ apache_dontaudit_rw_fifo_file(mta_user_agent)
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+ apache_append_log(mta_user_agent)
')
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+
')
optional_policy(`
@@ -225,17 +244,21 @@ optional_policy(`
')
optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
+ courier_stream_connect_authdaemon(system_mail_t)
')
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_inherited_spool_files(system_mail_t)
+ cron_rw_inherited_user_spool_files(system_mail_t)
')
optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
courier_stream_connect_authdaemon(system_mail_t)
')
@@ -246,6 +269,7 @@ optional_policy(`
optional_policy(`
fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
fail2ban_rw_inherited_tmp_files(system_mail_t)
')
@@ -258,10 +282,15 @@ optional_policy(`
')
optional_policy(`
+ # newaliases runs as system_mail_t when the sendmail initscript does a restart
milter_getattr_all_sockets(system_mail_t)
')
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+')
+
+optional_policy(`
nagios_read_tmp_files(system_mail_t)
')
@@ -272,6 +301,15 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
+ qmail_rw_spool_pipes(system_mail_t)
')
optional_policy(`
@@ -287,42 +325,36 @@ optional_policy(`
')
optional_policy(`
- spamassassin_stream_connect_spamd(system_mail_t)
+ spamd_stream_connect(system_mail_t)
')
optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
- apache_append_log(mta_user_agent)
-')
+# should break this up among sections:
optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(user_mail_domain)
+ domain_dontaudit_leaks(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
#
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,40 +363,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+
manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_read_cifs_symlinks(mailserver_delivery)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_read_nfs_symlinks(mailserver_delivery)
-')
-
optional_policy(`
- arpwatch_search_data(mailserver_delivery)
+ dovecot_manage_spool(mailserver_delivery)
+ dovecot_domtrans_deliver(mailserver_delivery)
')
optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
+ logwatch_search_cache_dir(mailserver_delivery)
')
optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
@@ -372,6 +390,13 @@ optional_policy(`
')
optional_policy(`
+ mailman_manage_data_files(mailserver_domain)
+ mailman_domtrans(mailserver_domain)
+ mailman_append_log(mailserver_domain)
+ mailman_read_log(mailserver_domain)
+')
+
+optional_policy(`
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
@@ -381,24 +406,49 @@ optional_policy(`
########################################
#
-# User local policy
+# User send mail local policy
#
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_inherited_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_inherited_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_filetrans_home_content(user_mail_t)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
dev_read_sysfs(user_mail_t)
-userdom_use_user_terminals(user_mail_t)
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+')
optional_policy(`
allow user_mail_t self:capability dac_override;
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
+
+
diff --git a/munin.fc b/munin.fc
index eb4b72a..4968324 100644
--- a/munin.fc
+++ b/munin.fc
@@ -1,77 +1,79 @@
-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
-
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+# label all plugins as unconfined_munin_plugin_exec_t
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+# disk plugins
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# services plugins
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# selinux plugins
/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
+# system plugins
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
-
-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
-
-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0)
-
-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
index b744fe3..4c1b6a8 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
-## Munin network-wide load graphing.
+## Munin network-wide load graphing (formerly LRRD)
-#######################################
+########################################
##
-## The template to define a munin plugin domain.
+## Create a set of derived types for various
+## munin plugins,
##
-##
+##
##
-## Domain prefix to be used.
+## The name to be used for deriving type names.
##
##
#
@@ -14,12 +15,8 @@ template(`munin_plugin_template',`
gen_require(`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t;
- ')
- ########################################
- #
- # Declarations
- #
+ ')
type $1_munin_plugin_t, munin_plugin_domain;
type $1_munin_plugin_exec_t;
@@ -33,15 +30,22 @@ template(`munin_plugin_template',`
files_tmp_file($1_munin_plugin_tmp_t)
########################################
- #
- # Policy
- #
+ #
+ # Policy
+ #
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+ kernel_read_system_state($1_munin_plugin_t)
+
+ corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
+ corenet_all_recvfrom_netlabel($1_munin_plugin_t)
')
########################################
@@ -66,7 +70,7 @@ interface(`munin_stream_connect',`
#######################################
##
-## Read munin configuration content.
+## Read munin configuration files.
##
##
##
@@ -80,15 +84,53 @@ interface(`munin_read_config',`
type munin_etc_t;
')
- files_search_etc($1)
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
#######################################
##
-## Append munin log files.
+## Read munin library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_read_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+######################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`munin_dontaudit_leaks',`
+ gen_require(`
+ type munin_t;
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
+')
+
+#######################################
+##
+## Append to the munin log.
##
##
##
@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',`
########################################
##
-## All of the rules required to
-## administrate an munin environment.
+## All of the rules required to administrate
+## an munin environment
##
##
##
@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the munin domain.
##
##
##
@@ -170,8 +212,12 @@ interface(`munin_admin',`
type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { munin_plugin_domain munin_t })
+ allow $1 munin_t:process signal_perms;
+ ps_process_pattern($1, munin_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 munin_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
index b708708..cead88c 100644
--- a/munin.te
+++ b/munin.te
@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
munin_plugin_template(system)
munin_plugin_template(unconfined)
+type httpd_munin_script_tmp_t;
+files_tmp_file(httpd_munin_script_tmp_t)
+
################################
#
# Common munin plugin local policy
#
-allow munin_plugin_domain self:process signal;
+allow munin_plugin_domain self:process signal_perms;
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
@@ -62,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
-kernel_read_system_state(munin_plugin_domain)
-
-corenet_all_recvfrom_unlabeled(munin_plugin_domain)
-corenet_all_recvfrom_netlabel(munin_plugin_domain)
corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
corecmd_exec_bin(munin_plugin_domain)
corecmd_exec_shell(munin_plugin_domain)
-files_read_etc_files(munin_plugin_domain)
-files_read_usr_files(munin_plugin_domain)
files_search_var_lib(munin_plugin_domain)
fs_getattr_all_fs(munin_plugin_domain)
-miscfiles_read_localization(munin_plugin_domain)
+auth_read_passwd(munin_plugin_domain)
optional_policy(`
nscd_use(munin_plugin_domain)
@@ -118,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
@@ -134,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
-corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
@@ -157,7 +153,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
-files_read_usr_files(munin_t)
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
@@ -169,7 +164,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
-miscfiles_read_localization(munin_t)
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
@@ -177,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
-optional_policy(`
- apache_content_template(munin)
-
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- apache_search_sys_content(munin_t)
-')
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
@@ -217,7 +204,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
- postfix_getattr_all_spool_files(munin_t)
')
optional_policy(`
@@ -246,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+kernel_read_fs_sysctls(disk_munin_plugin_t)
+
corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
-dev_getattr_all_blk_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
+dev_read_all_blk_files(disk_munin_plugin_t)
fs_getattr_all_fs(disk_munin_plugin_t)
fs_getattr_all_dirs(disk_munin_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
@@ -272,6 +260,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
+optional_policy(`
+ rpc_search_nfs_state_data(disk_munin_plugin_t)
+')
+
####################################
#
# Mail local policy
@@ -279,27 +271,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
logging_read_generic_logs(mail_munin_plugin_t)
+sysnet_read_config(mail_munin_plugin_t)
+
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
+
optional_policy(`
- mta_list_queue(mail_munin_plugin_t)
mta_read_config(mail_munin_plugin_t)
- mta_read_queue(mail_munin_plugin_t)
mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
')
optional_policy(`
- nscd_use(mail_munin_plugin_t)
+ nscd_socket_use(mail_munin_plugin_t)
')
optional_policy(`
- postfix_getattr_all_spool_files(mail_munin_plugin_t)
postfix_read_config(mail_munin_plugin_t)
postfix_list_spool(mail_munin_plugin_t)
+ postfix_getattr_spool_files(mail_munin_plugin_t)
')
optional_policy(`
@@ -339,7 +340,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
- bind_read_config(munin_services_plugin_t)
+ bind_read_config(services_munin_plugin_t)
')
optional_policy(`
@@ -361,7 +362,11 @@ optional_policy(`
')
optional_policy(`
- nscd_use(services_munin_plugin_t)
+ nscd_socket_use(services_munin_plugin_t)
+')
+
+optional_policy(`
+ ntp_exec(services_munin_plugin_t)
')
optional_policy(`
@@ -393,6 +398,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
+kernel_read_fs_sysctls(system_munin_plugin_t)
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -421,3 +427,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
+
+
+#######################################
+#
+# Munin CGI script local policy
+#
+
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
+manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
+manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
+
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
+
+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(httpd_munin_script_t)
+
+auth_read_passwd(httpd_munin_script_t)
+
+optional_policy(`
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 06f8666..4a315d5 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,12 +1,25 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
-
+# mysql database server
+
+#
+# /HOME
+#
+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
+#
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+#
+# /var
+#
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
index 687af38..404ed6d 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
-## Open source database.
-
-########################################
-##
-## Role access for mysql.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-interface(`mysql_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
+## Policy for MySQL
######################################
##
@@ -34,38 +15,30 @@ interface(`mysql_domtrans',`
type mysqld_t, mysqld_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
-########################################
+######################################
##
-## Execute mysqld in the mysqld domain, and
-## allow the specified role the mysqld domain.
+## Execute MySQL in the caller domain.
##
##
##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Role allowed access.
+## Domain allowed access.
##
##
#
-interface(`mysql_run_mysqld',`
+interface(`mysql_exec',`
gen_require(`
- attribute_role mysqld_roles;
+ type mysqld_exec_t;
')
- mysql_domtrans($1)
- roleattribute $2 mysqld_roles;
+ can_exec($1, mysqld_exec_t)
')
########################################
##
-## Send generic signals to mysqld.
+## Send a generic signal to MySQL.
##
##
##
@@ -81,9 +54,27 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal;
')
+#######################################
+##
+## Send a null signal to mysql.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_signull',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signull;
+')
+
########################################
##
-## Connect to mysqld with a tcp socket.
+## Allow the specified domain to connect to postgresql with a tcp socket.
##
##
##
@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',`
########################################
##
-## Connect to mysqld with a unix
-# domain stream socket.
+## Connect to MySQL using a unix domain stream socket.
##
##
##
@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',`
')
files_search_pids($1)
- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
########################################
##
-## Read mysqld configuration content.
+## Read MySQL configuration files.
##
##
##
@@ -139,7 +130,6 @@ interface(`mysql_read_config',`
type mysqld_etc_t;
')
- files_search_etc($1)
allow $1 mysqld_etc_t:dir list_dir_perms;
allow $1 mysqld_etc_t:file read_file_perms;
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
@@ -147,7 +137,8 @@ interface(`mysql_read_config',`
########################################
##
-## Search mysqld db directories.
+## Search the directories that contain MySQL
+## database storage.
##
##
##
@@ -155,6 +146,8 @@ interface(`mysql_read_config',`
##
##
#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
interface(`mysql_search_db',`
gen_require(`
type mysqld_db_t;
@@ -166,7 +159,27 @@ interface(`mysql_search_db',`
########################################
##
-## Read and write mysqld database directories.
+## List the directories that contain MySQL
+## database storage.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_list_db',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Read and write to the MySQL database directory.
##
##
##
@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',`
########################################
##
-## Create, read, write, and delete
-## mysqld database directories.
+## Create, read, write, and delete MySQL database directories.
##
##
##
@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',`
#######################################
##
-## Append mysqld database files.
+## Append to the MySQL database directory.
##
##
##
@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',`
#######################################
##
-## Read and write mysqld database files.
+## Read and write to the MySQL database directory.
##
##
##
@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',`
#######################################
##
-## Create, read, write, and delete
-## mysqld database files.
+## Create, read, write, and delete MySQL database files.
##
##
##
@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',`
########################################
##
-## Read and write mysqld database sockets.
+## Read and write to the MySQL database
## named socket.
##
##
@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',`
##
#
interface(`mysql_rw_db_sockets',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## mysqld home files.
+## Write to the MySQL log.
##
##
##
@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',`
##
##
#
-interface(`mysql_manage_mysqld_home_files',`
+interface(`mysql_write_log',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_log_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mysqld_home_t:file manage_file_perms;
+ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')
-########################################
+######################################
##
-## Relabel mysqld home files.
+## Execute MySQL safe script in the mysql safe domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`mysql_relabel_mysqld_home_files',`
+interface(`mysql_domtrans_mysql_safe',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_safe_t, mysqld_safe_exec_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 mysqld_home_t:file relabel_file_perms;
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
-########################################
+######################################
##
-## Create objects in user home
-## directories with the mysqld home type.
+## Execute MySQL_safe in the caller domain.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
+#
+interface(`mysql_safe_exec',`
+ gen_require(`
+ type mysqld_safe_exec_t;
+ ')
+
+ can_exec($1, mysqld_safe_exec_t)
+')
+
+#####################################
+##
+## Read MySQL PID files.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`mysql_home_filetrans_mysqld_home',`
+interface(`mysql_read_pid_files',`
gen_require(`
- type mysqld_home_t;
+ type mysqld_var_run_t;
')
- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3)
+ mysql_search_pid_files($1)
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
-########################################
+#####################################
##
-## Write mysqld log files.
+## Search MySQL PID files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`mysql_write_log',`
+interface(`mysql_search_pid_files',`
gen_require(`
- type mysqld_log_t;
+ type mysqld_var_run_t;
')
- logging_search_logs($1)
- allow $1 mysqld_log_t:file write_file_perms;
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')
-######################################
+########################################
##
-## Execute mysqld safe in the
-## mysqld safe domain.
+## Execute mysqld server in the mysqld domain.
##
##
##
@@ -374,18 +396,22 @@ interface(`mysql_write_log',`
##
##
#
-interface(`mysql_domtrans_mysql_safe',`
+interface(`mysql_systemctl',`
gen_require(`
- type mysqld_safe_t, mysqld_safe_exec_t;
+ type mysqld_unit_file_t;
+ type mysqld_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ systemd_exec_systemctl($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mysqld_t)
')
-#####################################
+########################################
##
-## Read mysqld pid files.
+## read mysqld homedir content (.k5login)
##
##
##
@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',`
##
##
#
-interface(`mysql_read_pid_files',`
+interface(`mysql_read_home_content',`
gen_require(`
- type mysqld_var_run_t;
+ type mysqld_home_t;
')
- files_search_pids($1)
- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
')
-#####################################
+########################################
##
-## Search mysqld pid files.
+## Transition to mysqld named content
##
##
##
-## Domain allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`mysql_search_pid_files',`
+interface(`mysql_filetrans_named_content',`
gen_require(`
- type mysqld_var_run_t;
+ type mysqld_home_t;
')
- files_search_pids($1)
- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
')
########################################
##
-## All of the rules required to
-## administrate an mysqld environment.
+## All of the rules required to administrate an mysql environment
##
##
##
@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the mysql domain.
##
##
##
#
interface(`mysql_admin',`
gen_require(`
- type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
+ type mysqld_etc_t;
+ type mysqld_home_t;
+ type mysqld_unit_file_t;
')
- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
+ allow $1 mysqld_t:process signal_perms;
+ ps_process_pattern($1, mysqld_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mysqld_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+ role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, mysqld_var_run_t)
- files_search_var_lib($1)
admin_pattern($1, mysqld_db_t)
- files_search_etc($1)
- admin_pattern($1, { mysqld_etc_t mysqld_home_t })
+ files_list_etc($1)
+ admin_pattern($1, mysqld_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, mysqld_log_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
- mysql_run_mysqld($1, $2)
+ userdom_search_user_home_dirs($1)
+ files_list_root($1)
+ admin_pattern($1, mysqld_home_t)
+
+ mysql_systemctl($1)
+ admin_pattern($1, mysqld_unit_file_t)
+ allow $1 mysqld_unit_file_t:service all_service_perms;
+
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
index 7584bbe..2d683f1 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
#
##
-##
-## Determine whether mysqld can
-## connect to all TCP ports.
-##
+##
+## Allow mysqld to connect to all ports
+##
##
gen_tunable(mysql_connect_any, false)
-attribute_role mysqld_roles;
-
type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
-application_domain(mysqld_t, mysqld_exec_t)
-role mysqld_roles types mysqld_t;
type mysqld_safe_t;
type mysqld_safe_exec_t;
@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
type mysqld_db_t;
files_type(mysqld_db_t)
@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t)
type mysqld_home_t;
userdom_user_home_content(mysqld_home_t)
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
-allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
+allow mysqld_t mysqld_etc_t:file read_file_perms;
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
@@ -95,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(mysqld_t)
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
-corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_generic_node(mysqld_t)
-
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
-
-corecmd_exec_bin(mysqld_t)
-corecmd_exec_shell(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
dev_read_sysfs(mysqld_t)
dev_read_urand(mysqld_t)
-domain_use_interactive_fds(mysqld_t)
-
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
+domain_use_interactive_fds(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
-files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
auth_use_nsswitch(mysqld_t)
logging_send_syslog_msg(mysqld_t)
-miscfiles_read_localization(mysqld_t)
+sysnet_read_config(mysqld_t)
-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ifdef(`distro_redhat',`
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
tunable_policy(`mysql_connect_any',`
- corenet_sendrecv_all_client_packets(mysqld_t)
corenet_tcp_connect_all_ports(mysqld_t)
- corenet_tcp_sendrecv_all_ports(mysqld_t)
+ corenet_sendrecv_all_client_packets(mysqld_t)
')
optional_policy(`
@@ -146,6 +147,10 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(mysqld_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
@@ -155,21 +160,17 @@ optional_policy(`
#######################################
#
-# Safe local policy
+# Local mysqld_safe policy
#
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
-
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
-
-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
@@ -187,21 +186,28 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
+dev_read_urand(mysqld_safe_t)
dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
-files_read_etc_files(mysqld_safe_t)
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
-miscfiles_read_localization(mysqld_safe_t)
+auth_read_passwd(mysqld_safe_t)
+
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-userdom_search_user_home_dirs(mysqld_safe_t)
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_signull(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
optional_policy(`
hostname_exec(mysqld_safe_t)
@@ -209,7 +215,7 @@ optional_policy(`
########################################
#
-# Manager local policy
+# MySQL Manager Policy
#
allow mysqlmanagerd_t self:capability { dac_override kill };
@@ -218,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
-allow mysqlmanagerd_t mysqld_t:process signal;
-
-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
@@ -230,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
-
kernel_read_system_state(mysqlmanagerd_t)
corecmd_exec_shell(mysqlmanagerd_t)
-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
corenet_tcp_bind_generic_node(mysqlmanagerd_t)
-
-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
dev_read_urand(mysqlmanagerd_t)
-files_read_etc_files(mysqlmanagerd_t)
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
-miscfiles_read_localization(mysqlmanagerd_t)
-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
index 0000000..3a1c423
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
index 0000000..171f666
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,152 @@
+
+## policy for httpd_mythtv_script
+
+########################################
+##
+## Execute TEMPLATE in the httpd_mythtv_script domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`httpd_mythtv_script_domtrans',`
+ gen_require(`
+ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
+')
+
+#######################################
+##
+## read mythtv libs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_read_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## mythtv lib content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_manage_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+##
+## read mythtv logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_read_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Append mythtv log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_append_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## mythtv log content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mythtv_manage_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an mythtv environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mythtv_admin',`
+ gen_require(`
+ type httpd_mythtv_script_t, mythtv_var_lib_t;
+ type mythtv_var_log_t;
+ ')
+
+ allow $1 httpd_mythtv_script_t:process signal_perms;
+ ps_process_pattern($1, httpd_mythtv_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_mythtv_script_t:process ptrace;
+ ')
+
+ logging_list_logs($1)
+ admin_pattern($1, mythtv_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mythtv_var_lib_t)
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
index 0000000..90129ac
--- /dev/null
+++ b/mythtv.te
@@ -0,0 +1,41 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mythtv)
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
+
+type mythtv_var_log_t;
+logging_log_file(mythtv_var_log_t)
+
+########################################
+#
+# httpd_mythtv_script local policy
+#
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
+
+domain_use_interactive_fds(httpd_mythtv_script_t)
+
+files_read_etc_files(httpd_mythtv_script_t)
+
+fs_read_nfs_files(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
+ mysql_read_config(httpd_mythtv_script_t)
+ mysql_stream_connect(httpd_mythtv_script_t)
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
index d78dfc3..a00cc2d 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,97 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+# admin plugins
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+# check disk plugins
+/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+# system plugins
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+# services plugins
/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+# openshift plugins
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+# label all nagios plugin as unconfined by default
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
-
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..d7d9a79 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
-## Network monitoring server.
+## Net Saint / NAGIOS - network monitoring server
-#######################################
+########################################
##
-## The template to define a nagios plugin domain.
+## Create a set of derived types for various
+## nagios plugins,
##
-##
+##
##
-## Domain prefix to be used.
+## The name to be used for deriving type names.
##
##
#
@@ -16,38 +17,31 @@ template(`nagios_plugin_template',`
type nagios_t, nrpe_t;
')
- ########################################
- #
- # Declarations
- #
-
type nagios_$1_plugin_t, nagios_plugin_domain;
type nagios_$1_plugin_exec_t;
application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
role system_r types nagios_$1_plugin_t;
- ########################################
- #
- # Policy
- #
-
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+ # needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ kernel_read_system_state(nagios_$1_plugin_t)
+
')
########################################
##
-## Do not audit attempts to read or
-## write nagios unnamed pipes.
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
##
##
##
## Domain to not audit.
##
##
-##
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',`
########################################
##
-## Read nagios configuration content.
+## Allow the specified domain to read
+## nagios configuration files.
##
##
##
@@ -73,15 +68,14 @@ interface(`nagios_read_config',`
type nagios_etc_t;
')
- files_search_etc($1)
allow $1 nagios_etc_t:dir list_dir_perms;
allow $1 nagios_etc_t:file read_file_perms;
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
######################################
##
-## Read nagios log files.
+## Read nagios logs.
##
##
##
@@ -100,8 +94,7 @@ interface(`nagios_read_log',`
########################################
##
-## Do not audit attempts to read or
-## write nagios log files.
+## Do not audit attempts to read or write nagios logs.
##
##
##
@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
')
########################################
##
-## Read nagios temporary files.
+## Allow the specified domain to read
+## nagios temporary files.
##
##
##
@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## nagios temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_rw_inerited_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
########################################
##
-## Execute nrpe with a domain transition.
+## Execute the nagios NRPE with
+## a domain transition.
##
##
##
@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
########################################
##
-## All of the rules required to
-## administrate an nagios environment.
+## All of the rules required to administrate
+## an nagios environment
##
##
##
@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the nagios domain.
##
##
##
#
interface(`nagios_admin',`
gen_require(`
- attribute nagios_plugin_domain;
type nagios_t, nrpe_t, nagios_initrc_exec_t;
- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t;
- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t;
- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t;
- type nagios_eventhandler_plugin_tmp_t;
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
+ allow $1 nagios_t:process signal_perms;
+ ps_process_pattern($1, nagios_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nagios_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nagios_initrc_exec_t system_r;
allow $2 system_r;
- files_search_tmp($1)
- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, nagios_log_t)
- files_search_etc($1)
- admin_pattern($1, { nrpe_etc_t nagios_etc_t })
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, nagios_spool_t)
- files_search_pids($1)
- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
- files_search_var_lib($1)
- admin_pattern($1, nagios_var_lib_t)
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
index 7b3e682..f565a0e 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
type nagios_var_lib_t;
files_type(nagios_var_lib_t)
@@ -39,6 +39,7 @@ nagios_plugin_template(services)
nagios_plugin_template(system)
nagios_plugin_template(unconfined)
nagios_plugin_template(eventhandler)
+nagios_plugin_template(openshift)
type nagios_eventhandler_plugin_tmp_t;
files_tmp_file(nagios_eventhandler_plugin_tmp_t)
@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
type nagios_system_plugin_tmp_t;
files_tmp_file(nagios_system_plugin_tmp_t)
+type nagios_openshift_plugin_tmp_t;
+files_tmp_file(nagios_openshift_plugin_tmp_t)
+
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -63,19 +67,21 @@ files_pid_file(nrpe_var_run_t)
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
+
+allow nagios_t nagios_plugin_domain:process signal_perms;
+allow nagios_plugin_domain nagios_t:process signal_perms;
+
+# cjp: leaked file descriptor
dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
dontaudit nagios_plugin_domain nagios_log_t:file { read write };
-kernel_read_system_state(nagios_plugin_domain)
-
dev_read_urand(nagios_plugin_domain)
dev_read_rand(nagios_plugin_domain)
+dev_read_sysfs(nagios_plugin_domain)
-files_read_usr_files(nagios_plugin_domain)
-
-miscfiles_read_localization(nagios_plugin_domain)
-
-userdom_use_user_terminals(nagios_plugin_domain)
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
+userdom_use_inherited_user_ttys(nagios_plugin_domain)
########################################
#
@@ -96,11 +102,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
allow nagios_t nagios_etc_t:file read_file_perms;
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
-allow nagios_t nagios_log_t:dir setattr_dir_perms;
-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-logging_log_filetrans(nagios_t, nagios_log_t, file)
+#allow nagios_t nagios_log_t:dir setattr_dir_perms;
+#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { dir file })
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_all_recvfrom_unlabeled(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
-files_read_usr_files(nagios_t)
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-miscfiles_read_localization(nagios_t)
-
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
@@ -178,6 +183,7 @@ optional_policy(`
#
# CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -229,9 +235,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
-kernel_read_system_state(nrpe_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
@@ -252,8 +258,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
+files_list_var(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
-files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
@@ -262,8 +268,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
-miscfiles_read_localization(nrpe_t)
-
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
@@ -310,15 +314,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
corecmd_read_bin_symlinks(nagios_mail_plugin_t)
-files_read_etc_files(nagios_mail_plugin_t)
-
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
@@ -345,6 +349,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+corecmd_exec_bin(nagios_checkdisk_plugin_t)
+
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
@@ -357,9 +364,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
-allow nagios_services_plugin_t self:capability net_raw;
+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-allow nagios_services_plugin_t self:tcp_socket { accept listen };
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
corecmd_exec_bin(nagios_services_plugin_t)
@@ -391,6 +400,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
+ mysql_read_config(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(nagios_services_plugin_t)
')
optional_policy(`
@@ -411,6 +425,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
-files_read_etc_files(nagios_system_plugin_t)
-
fs_getattr_all_fs(nagios_system_plugin_t)
+auth_read_passwd(nagios_system_plugin_t)
+
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
+
+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
+
+optional_policy(`
+ unconfined_domain(nagios_eventhandler_plugin_t)
+')
+
########################################
#
-# Unconfined plugin policy
+# nagios openshift plugin policy
+#
+
+allow nagios_openshift_plugin_t self:capability sys_ptrace;
+
+manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
+
+corecmd_exec_bin(nagios_openshift_plugin_t)
+corecmd_exec_shell(nagios_openshift_plugin_t)
+
+domain_read_all_domains_state(nagios_openshift_plugin_t)
+
+fs_getattr_all_fs(nagios_openshift_plugin_t)
+
+optional_policy(`
+ apache_read_config(nagios_openshift_plugin_t)
+')
+
+######################################
+#
+# nagios plugin domain policy
#
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
+
+
+
diff --git a/namespace.fc b/namespace.fc
new file mode 100644
index 0000000..ce51c8d
--- /dev/null
+++ b/namespace.fc
@@ -0,0 +1,3 @@
+
+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
+
diff --git a/namespace.if b/namespace.if
new file mode 100644
index 0000000..8d7c751
--- /dev/null
+++ b/namespace.if
@@ -0,0 +1,48 @@
+
+## policy for namespace
+
+########################################
+##
+## Execute a domain transition to run namespace_init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`namespace_init_domtrans',`
+ gen_require(`
+ type namespace_init_t, namespace_init_exec_t;
+ ')
+
+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
+')
+
+
+########################################
+##
+## Execute namespace_init in the namespace_init domain, and
+## allow the specified role the namespace_init domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the namespace_init domain.
+##
+##
+#
+interface(`namespace_init_run',`
+ gen_require(`
+ type namespace_init_t;
+ ')
+
+ namespace_init_domtrans($1)
+ role $2 types namespace_init_t;
+
+ seutil_run_setfiles(namespace_init_t, $2)
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
index 0000000..c674894
--- /dev/null
+++ b/namespace.te
@@ -0,0 +1,39 @@
+policy_module(namespace,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type namespace_init_t;
+type namespace_init_exec_t;
+init_system_domain(namespace_init_t, namespace_init_exec_t)
+role system_r types namespace_init_t;
+
+########################################
+#
+# namespace_init local policy
+#
+
+allow namespace_init_t self:capability dac_override;
+
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(namespace_init_t)
+
+corecmd_exec_shell(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
+domain_obj_id_change_exemption(namespace_init_t)
+
+files_polyinstantiate_all(namespace_init_t)
+
+auth_use_nsswitch(namespace_init_t)
+
+term_use_console(namespace_init_t)
+
+userdom_manage_user_home_content(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_filetrans_home_content(namespace_init_t)
diff --git a/ncftool.if b/ncftool.if
index db9578f..4309e3d 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
+ type ncftool_t;
attribute_role ncftool_roles;
')
ncftool_domtrans($1)
roleattribute $2 ncftool_roles;
')
+
diff --git a/ncftool.te b/ncftool.te
index 71f30ba..d20f048 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
allow ncftool_t self:capability net_admin;
allow ncftool_t self:process signal;
+
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
-files_read_etc_files(ncftool_t)
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
-files_read_usr_files(ncftool_t)
-miscfiles_read_localization(ncftool_t)
+term_use_all_inherited_terms(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
sysnet_run_dhcpc(ncftool_t, ncftool_roles)
@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
@@ -73,11 +76,14 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
+ iptables_systemctl(ncftool_t)
')
optional_policy(`
+ modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
modutils_run_insmod(ncftool_t, ncftool_roles)
+
')
optional_policy(`
diff --git a/nessus.te b/nessus.te
index fe1068b..98166ee 100644
--- a/nessus.te
+++ b/nessus.te
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
corecmd_exec_bin(nessusd_t)
-corenet_all_recvfrom_unlabeled(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t)
domain_use_interactive_fds(nessusd_t)
files_list_var_lib(nessusd_t)
-files_read_etc_files(nessusd_t)
files_read_etc_runtime_files(nessusd_t)
fs_getattr_all_fs(nessusd_t)
@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t)
logging_send_syslog_msg(nessusd_t)
-miscfiles_read_localization(nessusd_t)
-
sysnet_read_config(nessusd_t)
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
index 94b9734..bb9c83e 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -1,44 +1,46 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 86dc29d..5b73942 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
########################################
##
-## Read and write networkmanager udp sockets.
+## Read and write NetworkManager UDP sockets.
##
##
##
@@ -10,6 +10,7 @@
##
##
#
+# cjp: added for named.
interface(`networkmanager_rw_udp_sockets',`
gen_require(`
type NetworkManager_t;
@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',`
########################################
##
-## Read and write networkmanager packet sockets.
+## Read and write NetworkManager packet sockets.
##
##
##
@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',`
##
##
#
+# cjp: added for named.
interface(`networkmanager_rw_packet_sockets',`
gen_require(`
type NetworkManager_t;
@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',`
#######################################
##
-## Relabel networkmanager tun socket.
+## Allow caller to relabel tun_socket
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`networkmanager_attach_tun_iface',`
@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',`
########################################
##
-## Read and write networkmanager netlink
+## Read and write NetworkManager netlink
## routing sockets.
##
##
@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',`
##
##
#
+# cjp: added for named.
interface(`networkmanager_rw_routing_sockets',`
gen_require(`
type NetworkManager_t;
@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',`
########################################
##
-## Execute networkmanager with a domain transition.
+## Execute NetworkManager with a domain transition.
##
##
##
@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
########################################
##
-## Execute networkmanager scripts with
-## an automatic domain transition to initrc.
+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
##
##
##
@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
##
##
#
+interface(`networkmanager_NetworkManagerrc_domtrans',`
+ gen_require(`
+ type NetworkManager_NetworkManagerrc_exec_t;
+ ')
+
+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
+')
+
+#######################################
+##
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+##
+## Execute NetworkManager server in the NetworkManager domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`networkmanager_systemctl',`
gen_require(`
- type NetworkManager_initrc_exec_t;
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
')
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
')
########################################
##
## Send and receive messages from
-## networkmanager over dbus.
+## NetworkManager over dbus.
##
##
##
@@ -155,7 +198,29 @@ interface(`networkmanager_read_state',`
########################################
##
-## Send generic signals to networkmanager.
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send a generic signal to NetworkManager
##
##
##
@@ -211,9 +276,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
+#######################################
+##
+## Read NetworkManager conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_read_conf',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
+
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
+')
+
########################################
##
-## Append networkmanager log files.
+## Read NetworkManager PID files.
##
##
##
@@ -221,19 +305,18 @@ interface(`networkmanager_read_lib_files',`
##
##
#
-interface(`networkmanager_append_log_files',`
+interface(`networkmanager_read_pid_files',`
gen_require(`
- type NetworkManager_log_t;
+ type NetworkManager_var_run_t;
')
- logging_search_logs($1)
- allow $1 NetworkManager_log_t:dir list_dir_perms;
- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ files_search_pids($1)
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
##
-## Read networkmanager pid files.
+## Read NetworkManager PID files.
##
##
##
@@ -241,13 +324,13 @@ interface(`networkmanager_append_log_files',`
##
##
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
####################################
@@ -272,12 +355,12 @@ interface(`networkmanager_stream_connect',`
########################################
##
-## All of the rules required to
-## administrate an networkmanager environment.
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
##
@@ -287,33 +370,113 @@ interface(`networkmanager_stream_connect',`
##
##
#
-interface(`networkmanager_admin',`
+interface(`networkmanager_run',`
gen_require(`
- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
+ type NetworkManager_t, NetworkManager_exec_t;
')
- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
-
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
- logging_search_etc($1)
- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
+########################################
+##
+## Allow the specified domain to append
+## to Network Manager log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_append_log',`
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
logging_search_logs($1)
- admin_pattern($1, NetworkManager_log_t)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
- files_search_var_lib($1)
- admin_pattern($1, NetworkManager_var_lib_t)
+#######################################
+##
+## Allow the specified domain to manage
+## to Network Manager lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_manage_lib',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
- files_search_pids($1)
- admin_pattern($1, NetworkManager_var_run_t)
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+#######################################
+##
+## Read the process state (/proc/pid) of NetworkManager.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`NetworkManager_read_state',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:dir search_dir_perms;
+ allow $1 NetworkManager_t:file read_file_perms;
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Transition to networkmanager named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ type NetworkManager_var_lib_t;
+ ')
- files_search_tmp($1)
- admin_pattern($1, NetworkManager_tmp_t)
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 55f2009..076a73e 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
type NetworkManager_etc_t;
files_config_file(NetworkManager_etc_t)
type NetworkManager_etc_rw_t;
files_config_file(NetworkManager_etc_rw_t)
-type NetworkManager_initrc_exec_t;
-init_script_file(NetworkManager_initrc_exec_t)
-
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
@@ -39,25 +42,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit NetworkManager_t self:capability sys_module;
+')
+
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+
+tunable_policy(`deny_ptrace',`',`
+ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
+')
+
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-allow NetworkManager_t self:unix_dgram_socket sendto;
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow NetworkManager_t self:tcp_socket { accept listen };
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
@@ -68,6 +96,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
@@ -81,17 +110,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
-
-kernel_read_crypto_sysctls(NetworkManager_t)
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
+kernel_setsched(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
@@ -102,22 +128,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
-
-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_udp_bind_isakmp_port(NetworkManager_t)
-
-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_udp_bind_dhcpc_port(NetworkManager_t)
-
-corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_tcp_connect_all_ports(NetworkManager_t)
-
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
-corecmd_exec_shell(NetworkManager_t)
-corecmd_exec_bin(NetworkManager_t)
-
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
@@ -125,13 +144,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
-domain_use_interactive_fds(NetworkManager_t)
-domain_read_all_domains_state(NetworkManager_t)
-
-files_read_etc_runtime_files(NetworkManager_t)
-files_read_usr_files(NetworkManager_t)
-files_read_usr_src_files(NetworkManager_t)
-
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
@@ -140,6 +152,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_all_domains_state(NetworkManager_t)
+
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+files_read_isid_type_files(NetworkManager_t)
+
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
@@ -148,10 +171,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
+libs_exec_ldconfig(NetworkManager_t)
+
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
-miscfiles_read_localization(NetworkManager_t)
seutil_read_config(NetworkManager_t)
@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
-
-userdom_write_user_tmp_sockets(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(NetworkManager_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(NetworkManager_t)
+')
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
avahi_signal(NetworkManager_t)
avahi_signull(NetworkManager_t)
+ avahi_dbus_chat(NetworkManager_t)
')
optional_policy(`
@@ -196,10 +231,6 @@ optional_policy(`
')
optional_policy(`
- consolekit_read_pid_files(NetworkManager_t)
-')
-
-optional_policy(`
consoletype_exec(NetworkManager_t)
')
@@ -210,16 +241,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
- optional_policy(`
- avahi_dbus_chat(NetworkManager_t)
- ')
+ init_dbus_chat(NetworkManager_t)
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
- ')
-
- optional_policy(`
- policykit_dbus_chat(NetworkManager_t)
+ consolekit_read_pid_files(NetworkManager_t)
')
')
@@ -231,18 +257,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
+ hal_write_log(NetworkManager_t)
')
optional_policy(`
- hal_write_log(NetworkManager_t)
+ howl_signal(NetworkManager_t)
')
optional_policy(`
- howl_signal(NetworkManager_t)
+ gnome_dontaudit_search_config(NetworkManager_t)
')
optional_policy(`
@@ -250,6 +277,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
+ ipsec_domtrans(NetworkManager_t)
+ ipsec_kill(NetworkManager_t)
+ ipsec_signal(NetworkManager_t)
+ ipsec_signull(NetworkManager_t)
')
optional_policy(`
@@ -257,11 +288,10 @@ optional_policy(`
')
optional_policy(`
- libs_exec_ldconfig(NetworkManager_t)
-')
-
-optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
+ l2tpd_sigkill(NetworkManager_t)
+ l2tpd_signal(NetworkManager_t)
+ l2tpd_signull(NetworkManager_t)
')
optional_policy(`
@@ -274,10 +304,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
+ nscd_systemctl(NetworkManager_t)
')
optional_policy(`
+ # Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(NetworkManager_t)
')
optional_policy(`
@@ -289,6 +326,7 @@ optional_policy(`
')
optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
@@ -296,7 +334,7 @@ optional_policy(`
')
optional_policy(`
- polipo_initrc_domtrans(NetworkManager_t)
+ polipo_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -307,6 +345,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
+ ppp_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -320,14 +359,20 @@ optional_policy(`
')
optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
- udev_read_pid_files(NetworkManager_t)
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
+ systemd_hostnamed_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+ ssh_exec(NetworkManager_t)
')
optional_policy(`
- # unconfined_dgram_send(NetworkManager_t)
- unconfined_stream_connect(NetworkManager_t)
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+ udev_read_pid_files(NetworkManager_t)
')
optional_policy(`
@@ -357,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
-miscfiles_read_localization(wpa_cli_t)
-
term_dontaudit_use_console(wpa_cli_t)
diff --git a/ninfod.fc b/ninfod.fc
new file mode 100644
index 0000000..cc31b9f
--- /dev/null
+++ b/ninfod.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ninfod.* -- gen_context(system_u:object_r:ninfod_unit_file_t,s0)
+
+/usr/sbin/ninfod -- gen_context(system_u:object_r:ninfod_exec_t,s0)
+
+/var/run/ninfod.* -- gen_context(system_u:object_r:ninfod_run_t,s0)
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
index 0000000..a7f57d9
--- /dev/null
+++ b/ninfod.if
@@ -0,0 +1,79 @@
+
+## Respond to IPv6 Node Information Queries
+
+########################################
+##
+## Execute ninfod in the ninfod domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ninfod_domtrans',`
+ gen_require(`
+ type ninfod_t, ninfod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ninfod_exec_t, ninfod_t)
+')
+########################################
+##
+## Execute ninfod server in the ninfod domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ninfod_systemctl',`
+ gen_require(`
+ type ninfod_t;
+ type ninfod_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ninfod_unit_file_t:file read_file_perms;
+ allow $1 ninfod_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ninfod_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an ninfod environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ninfod_admin',`
+ gen_require(`
+ type ninfod_t;
+ type ninfod_unit_file_t;
+ ')
+
+ allow $1 ninfod_t:process { signal_perms };
+ ps_process_pattern($1, ninfod_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ninfod_t:process ptrace;
+ ')
+
+ ninfod_systemctl($1)
+ admin_pattern($1, ninfod_unit_file_t)
+ allow $1 ninfod_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/ninfod.te b/ninfod.te
new file mode 100644
index 0000000..d75c408
--- /dev/null
+++ b/ninfod.te
@@ -0,0 +1,35 @@
+policy_module(ninfod, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ninfod_t;
+type ninfod_exec_t;
+init_daemon_domain(ninfod_t, ninfod_exec_t)
+
+type ninfod_run_t;
+files_pid_file(ninfod_run_t)
+
+type ninfod_unit_file_t;
+systemd_unit_file(ninfod_unit_file_t)
+
+########################################
+#
+# ninfod local policy
+#
+allow ninfod_t self:capability { net_raw setuid };
+allow ninfod_t self:process setcap;
+allow ninfod_t self:fifo_file rw_fifo_file_perms;
+allow ninfod_t self:rawip_socket { create setopt };
+allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
+files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
+
+auth_use_nsswitch(ninfod_t)
+
+logging_send_syslog_msg(ninfod_t)
+
+sysnet_dns_name_resolve(ninfod_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa..cd0e015 100644
--- a/nis.fc
+++ b/nis.fc
@@ -2,21 +2,26 @@
/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
-
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
index 46e55c3..6e4e061 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
-## Policy for NIS (YP) servers and clients.
+## Policy for NIS (YP) servers and clients
########################################
##
@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
gen_require(`
type var_yp_t;
')
-
- allow $1 self:capability net_bind_service;
+ dontaudit $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
- allow $1 var_yp_t:file read_file_perms;
allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
- corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
- corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
##
#
interface(`nis_use_ypbind',`
- tunable_policy(`allow_ypbind',`
+ tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
')
')
########################################
##
-## Use nis to authenticate passwords.
+## Use the nis to authenticate passwords
##
##
##
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
##
#
interface(`nis_authenticate',`
- tunable_policy(`allow_ypbind',`
+ tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
#######################################
##
-## Execute ypbind in the caller domain.
+## Execute ypbind in the caller domain.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed to transition.
+##
##
#
interface(`nis_exec_ypbind',`
- gen_require(`
- type ypbind_exec_t;
- ')
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
- corecmd_search_bin($1)
can_exec($1, ypbind_exec_t)
')
@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
#
interface(`nis_run_ypbind',`
gen_require(`
- attribute_role ypbind_roles;
+ type ypbind_t;
')
nis_domtrans_ypbind($1)
- roleattribute $2 ypbind_roles;
+ role $2 types ypbind_t;
')
########################################
@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
########################################
##
-## List nis data directories.
+## List the contents of the NIS data directory.
##
##
##
@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
#
interface(`nis_delete_ypbind_pid',`
gen_require(`
- type ypbind_var_run_t;
+ type ypbind_t;
')
- allow $1 ypbind_var_run_t:file delete_file_perms;
+ # TODO: add delete pid from dir call to files
+ allow $1 ypbind_t:file unlink;
')
########################################
@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
##
-## All of the rules required to
-## administrate an nis environment.
+## Execute ypbind server in the ypbind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
+ type ypbind_unit_file_t;
+ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
+
+########################################
+##
+## Execute ypbind server in the ypbind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_systemctl',`
+ gen_require(`
+ type nis_unit_file_t, ypbind_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
+ ps_process_pattern($1, ypserv_t)
+ ps_process_pattern($1, ypxfr_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nis environment
##
##
##
@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_t, yppasswdd_t, ypserv_t;
+ type ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t;
+ type ypserv_tmp_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ type nis_unit_file_t;
+ type ypbind_unit_file_t;
+ ')
+
+ allow $1 ypbind_t:process signal_perms;
+ ps_process_pattern($1, ypbind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ypbind_t:process ptrace;
+ allow $1 yppasswdd_t:process ptrace;
+ allow $1 ypserv_t:process ptrace;
+ allow $1 ypxfr_t:process ptrace;
')
- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
+ allow $1 yppasswdd_t:process signal_perms;
+ ps_process_pattern($1, yppasswdd_t)
+
+ allow $1 ypserv_t:process signal_perms;
+ ps_process_pattern($1, ypserv_t)
+
+ allow $1 ypxfr_t:process signal_perms;
+ ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
nis_initrc_domtrans_ypbind($1)
domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
- files_list_tmp($1)
- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
-
files_list_pids($1)
- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t })
+ admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
+ admin_pattern($1, ypbind_unit_file_t)
+ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ admin_pattern($1, yppasswdd_var_run_t)
files_list_etc($1)
admin_pattern($1, ypserv_conf_t)
- files_search_var($1)
- admin_pattern($1, var_yp_t)
+ admin_pattern($1, ypserv_var_run_t)
+
+ admin_pattern($1, ypserv_tmp_t)
- nis_run_ypbind($1, $2)
+ nis_systemctl($1)
+ admin_pattern($1, nis_unit_file_t)
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
index 3a6b035..1a181ad 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
# Declarations
#
-attribute_role ypbind_roles;
-
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
@@ -16,16 +14,18 @@ files_type(var_yp_t)
type ypbind_t;
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
-role ypbind_roles types ypbind_t;
type ypbind_initrc_exec_t;
init_script_file(ypbind_initrc_exec_t)
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
-type ypbind_var_run_t;
-files_pid_file(ypbind_var_run_t)
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
type yppasswdd_t;
type yppasswdd_exec_t;
@@ -40,7 +40,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
-files_type(ypserv_conf_t)
+files_config_file(ypserv_conf_t)
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
########################################
#
# ypbind local policy
@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t)
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
allow ypbind_t self:fifo_file rw_fifo_file_perms;
allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
allow ypbind_t self:udp_socket create_socket_perms;
@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
kernel_read_system_state(ypbind_t)
kernel_read_kernel_sysctls(ypbind_t)
-corenet_all_recvfrom_unlabeled(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_generic_if(ypbind_t)
corenet_udp_sendrecv_generic_if(ypbind_t)
@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t)
corenet_udp_sendrecv_all_ports(ypbind_t)
corenet_tcp_bind_generic_node(ypbind_t)
corenet_udp_bind_generic_node(ypbind_t)
-
corenet_tcp_bind_generic_port(ypbind_t)
corenet_udp_bind_generic_port(ypbind_t)
corenet_tcp_bind_reserved_port(ypbind_t)
@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t)
corenet_tcp_bind_all_rpc_ports(ypbind_t)
corenet_udp_bind_all_rpc_ports(ypbind_t)
corenet_tcp_connect_all_ports(ypbind_t)
-corenet_sendrecv_all_client_packets(ypbind_t)
-corenet_sendrecv_generic_server_packets(ypbind_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
dev_read_sysfs(ypbind_t)
@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t)
domain_use_interactive_fds(ypbind_t)
-files_read_etc_files(ypbind_t)
files_list_var(ypbind_t)
-logging_send_syslog_msg(ypbind_t)
+init_search_pid_dirs(ypbind_t)
-miscfiles_read_localization(ypbind_t)
+logging_send_syslog_msg(ypbind_t)
sysnet_read_config(ypbind_t)
@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
optional_policy(`
dbus_system_bus_client(ypbind_t)
dbus_connect_system_bus(ypbind_t)
-
init_dbus_chat_script(ypbind_t)
optional_policy(`
@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { getsched setfscreate signal_perms };
-allow yppasswdd_t self:unix_stream_socket { accept listen };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
allow yppasswdd_t self:udp_socket create_socket_perms;
@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
-can_exec(yppasswdd_t, yppasswdd_exec_t)
+can_exec(yppasswdd_t,yppasswdd_exec_t)
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
-corenet_all_recvfrom_unlabeled(yppasswdd_t)
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_generic_node(yppasswdd_t)
corenet_udp_bind_generic_node(yppasswdd_t)
-
corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
corenet_udp_bind_all_rpc_ports(yppasswdd_t)
-corenet_sendrecv_generic_server_packets(yppasswdd_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
-corecmd_exec_bin(yppasswdd_t)
-corecmd_exec_shell(yppasswdd_t)
-
-domain_use_interactive_fds(yppasswdd_t)
-
-files_read_etc_files(yppasswdd_t)
-files_read_etc_runtime_files(yppasswdd_t)
-files_relabel_etc_files(yppasswdd_t)
-
+dev_read_urand(yppasswdd_t)
dev_read_sysfs(yppasswdd_t)
fs_getattr_all_fs(yppasswdd_t)
@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
+auth_read_passwd(yppasswdd_t)
auth_etc_filetrans_shadow(yppasswdd_t)
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
logging_send_syslog_msg(yppasswdd_t)
-miscfiles_read_localization(yppasswdd_t)
sysnet_read_config(yppasswdd_t)
@@ -219,6 +216,14 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(yppasswdd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(yppasswdd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
@@ -234,7 +239,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
-allow ypserv_t self:unix_stream_socket { accept listen };
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
-corenet_all_recvfrom_unlabeled(ypserv_t)
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
@@ -264,31 +269,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
-
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
corenet_tcp_bind_all_rpc_ports(ypserv_t)
corenet_udp_bind_all_rpc_ports(ypserv_t)
-corenet_sendrecv_generic_server_packets(ypserv_t)
-
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
-corecmd_exec_bin(ypserv_t)
+dev_read_sysfs(ypserv_t)
-files_read_etc_files(ypserv_t)
-files_read_var_files(ypserv_t)
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
-dev_read_sysfs(ypserv_t)
+corecmd_exec_bin(ypserv_t)
domain_use_interactive_fds(ypserv_t)
-fs_getattr_all_fs(ypserv_t)
-fs_search_auto_mountpoints(ypserv_t)
+files_read_var_files(ypserv_t)
logging_send_syslog_msg(ypserv_t)
-miscfiles_read_localization(ypserv_t)
nis_domtrans_ypxfr(ypserv_t)
@@ -310,8 +311,8 @@ optional_policy(`
# ypxfr local policy
#
-allow ypxfr_t self:unix_stream_socket { accept listen };
-allow ypxfr_t self:unix_dgram_socket { accept listen };
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -326,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
-corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
@@ -336,23 +336,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
-
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
corenet_sendrecv_generic_server_packets(ypxfr_t)
corenet_sendrecv_all_client_packets(ypxfr_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
-
-files_read_etc_files(ypxfr_t)
files_search_usr(ypxfr_t)
logging_send_syslog_msg(ypxfr_t)
-miscfiles_read_localization(ypxfr_t)
sysnet_read_config(ypxfr_t)
diff --git a/nova.fc b/nova.fc
new file mode 100644
index 0000000..02dc6dc
--- /dev/null
+++ b/nova.fc
@@ -0,0 +1,32 @@
+
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
+
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
+
+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
+
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
index 0000000..28936b4
--- /dev/null
+++ b/nova.if
@@ -0,0 +1,57 @@
+## openstack-nova
+
+######################################
+##
+## Manage nova lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nova_manage_lib_files',`
+ gen_require(`
+ type nova_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
+')
+
+#######################################
+##
+## Creates types and rules for a basic
+## openstack-nova systemd daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`nova_domain_template',`
+ gen_require(`
+ attribute nova_domain;
+ ')
+
+ type nova_$1_t, nova_domain;
+ type nova_$1_exec_t;
+ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
+
+ type nova_$1_unit_file_t;
+ systemd_unit_file(nova_$1_unit_file_t)
+
+ type nova_$1_tmp_t;
+ files_tmp_file(nova_$1_tmp_t)
+
+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
+ can_exec(nova_$1_t, nova_$1_tmp_t)
+
+ kernel_read_system_state(nova_$1_t)
+
+ logging_send_syslog_msg(nova_$1_t)
+
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 0000000..d5b54e5
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,320 @@
+policy_module(nova, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# nova-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute nova_domain;
+attribute nova_sudo_domain;
+
+nova_domain_template(ajax)
+nova_domain_template(api)
+nova_domain_template(cert)
+nova_domain_template(compute)
+nova_domain_template(console)
+nova_domain_template(direct)
+nova_domain_template(network)
+nova_domain_template(objectstore)
+nova_domain_template(scheduler)
+nova_domain_template(vncproxy)
+nova_domain_template(volume)
+
+typeattribute nova_api_t nova_sudo_domain;
+typeattribute nova_cert_t nova_sudo_domain;
+typeattribute nova_console_t nova_sudo_domain;
+typeattribute nova_network_t nova_sudo_domain;
+typeattribute nova_volume_t nova_sudo_domain;
+
+type nova_log_t;
+logging_log_file(nova_log_t)
+
+type nova_var_lib_t;
+files_type(nova_var_lib_t)
+
+type nova_var_run_t;
+files_pid_file(nova_var_run_t)
+
+
+######################################
+#
+# nova general domain local policy
+#
+
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
+
+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+
+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+
+corenet_tcp_connect_amqp_port(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+
+kernel_read_network_state(nova_domain)
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+
+dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+
+fs_getattr_xattr_fs(nova_domain)
+
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
+ sysnet_read_config(nova_domain)
+ sysnet_exec_ifconfig(nova_domain)
+')
+
+######################################
+#
+# nova ajax local policy
+#
+
+#optional_policy(`
+# unconfined_domain(nova_ajax_t)
+#')
+
+#######################################
+#
+# nova api local policy
+#
+
+allow nova_api_t self:process setfscreate;
+
+allow nova_api_t self:key write;
+
+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow nova_api_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(nova_api_t)
+
+corenet_tcp_bind_generic_node(nova_api_t)
+corenet_udp_bind_generic_node(nova_api_t)
+# should be add to booleans
+corenet_tcp_connect_all_ports(nova_api_t)
+corenet_tcp_bind_all_unreserved_ports(nova_api_t)
+
+auth_read_passwd(nova_api_t)
+
+logging_send_syslog_msg(nova_api_t)
+
+miscfiles_read_certs(nova_api_t)
+
+optional_policy(`
+ iptables_domtrans(nova_api_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(nova_api_t)
+')
+
+#optional_policy(`
+# unconfined_domain(nova_api_t)
+#')
+
+######################################
+#
+# nova cert local policy
+#
+
+allow nova_cert_t self:process setfscreate;
+
+allow nova_cert_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(nova_cert_t)
+
+miscfiles_read_certs(nova_cert_t)
+
+optional_policy(`
+ mysql_stream_connect(nova_cert_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(nova_cert_t)
+')
+
+#######################################
+#
+# nova compute local policy
+#
+
+# needs to be re-write since now runs as virtd_t
+
+allow nova_compute_t self:udp_socket create_socket_perms;
+
+kernel_read_network_state(nova_compute_t)
+
+dev_read_rand(nova_compute_t)
+
+optional_policy(`
+ virt_getattr_exec(nova_compute_t)
+ virt_stream_connect(nova_compute_t)
+')
+
+######################################
+#
+# nova console local policy
+#
+
+allow nova_console_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(nova_console_t)
+
+optional_policy(`
+ mysql_stream_connect(nova_console_t)
+')
+
+#######################################
+#
+# nova direct local policy
+#
+
+#optional_policy(`
+# unconfined_domain(nova_direct_t)
+#')
+
+#######################################
+#
+# nova network local policy
+#
+
+allow nova_network_t self:capability { dac_override net_admin net_bind_service };
+allow nova_network_t self:process { getcap setcap };
+
+allow nova_network_t self:netlink_route_socket r_netlink_socket_perms;
+allow nova_network_t self:udp_socket create_socket_perms;
+
+kernel_read_network_state(nova_network_t)
+kernel_read_kernel_sysctls(nova_network_t)
+
+# should be added to boolean or fixed in the code
+# dnsmasq domtrans does not work since then dnsmasq_t wants
+# to do some stuff with nova_lib, nova_tmp
+# nova-dhcpbridge runs in dnsmasq domain
+corenet_all_recvfrom_netlabel(nova_network_t)
+corenet_tcp_sendrecv_generic_if(nova_network_t)
+corenet_udp_sendrecv_generic_if(nova_network_t)
+corenet_raw_sendrecv_generic_if(nova_network_t)
+corenet_tcp_sendrecv_generic_node(nova_network_t)
+corenet_udp_sendrecv_generic_node(nova_network_t)
+corenet_raw_sendrecv_generic_node(nova_network_t)
+corenet_tcp_sendrecv_all_ports(nova_network_t)
+corenet_udp_sendrecv_all_ports(nova_network_t)
+corenet_tcp_bind_generic_node(nova_network_t)
+corenet_udp_bind_generic_node(nova_network_t)
+corenet_tcp_bind_dns_port(nova_network_t)
+corenet_udp_bind_all_ports(nova_network_t)
+corenet_sendrecv_dns_server_packets(nova_network_t)
+corenet_sendrecv_dhcpd_server_packets(nova_network_t)
+
+libs_exec_ldconfig(nova_network_t)
+
+logging_send_syslog_msg(nova_network_t)
+
+optional_policy(`
+ brctl_domtrans(nova_network_t)
+')
+
+optional_policy(`
+ dnsmasq_exec(nova_network_t)
+# dnsmasq_domtrans(nova_network_t)
+')
+
+optional_policy(`
+ iptables_domtrans(nova_network_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(nova_network_t)
+')
+
+#optional_policy(`
+# unconfined_domain(nova_network_t)
+#')
+
+#######################################
+#
+# nova object store local policy
+#
+
+allow nova_objectstore_t self:udp_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(nova_objectstore_t)
+corenet_udp_bind_generic_node(nova_objectstore_t)
+
+optional_policy(`
+ unconfined_domain(nova_objectstore_t)
+')
+
+#######################################
+#
+# nova scheduler local policy
+#
+
+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow nova_scheduler_t self:udp_socket create_socket_perms;
+
+#optional_policy(`
+# unconfined_domain(nova_scheduler_t)
+#')
+
+#######################################
+#
+# nova vncproxy local policy
+#
+
+#optional_policy(`
+# unconfined_domain(nova_vncproxy_t)
+#')
+
+#######################################
+#
+# nova volume local policy
+#
+
+allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow nova_volume_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(nova_volume_t)
+
+logging_send_syslog_msg(nova_volume_t)
+
+optional_policy(`
+ lvm_domtrans(nova_volume_t)
+')
+
+#optional_policy(`
+# unconfined_domain(nova_volume_t)
+#')
+
+#######################################
+#
+# nova sudo domain local policy
+#
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ sudo_exec(nova_sudo_domain)
+ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
+ allow nova_sudo_domain self:process { setsched setrlimit };
+ logging_send_audit_msgs(nova_sudo_domain)
+ ')
+')
+
diff --git a/nscd.fc b/nscd.fc
index ba64485..429bd79 100644
--- a/nscd.fc
+++ b/nscd.fc
@@ -1,13 +1,15 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
index 8f2ab09..6ab4ea1 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
-## Name service cache daemon.
+## Name service cache daemon
########################################
##
-## Send generic signals to nscd.
+## Send generic signals to NSCD.
##
##
##
@@ -20,7 +20,7 @@ interface(`nscd_signal',`
########################################
##
-## Send kill signals to nscd.
+## Send NSCD the kill signal.
##
##
##
@@ -38,7 +38,7 @@ interface(`nscd_kill',`
########################################
##
-## Send null signals to nscd.
+## Send signulls to NSCD.
##
##
##
@@ -56,7 +56,7 @@ interface(`nscd_signull',`
########################################
##
-## Execute nscd in the nscd domain.
+## Execute NSCD in the nscd domain.
##
##
##
@@ -75,7 +75,8 @@ interface(`nscd_domtrans',`
########################################
##
-## Execute nscd in the caller domain.
+## Allow the specified domain to execute nscd
+## in the caller domain.
##
##
##
@@ -88,14 +89,13 @@ interface(`nscd_exec',`
type nscd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, nscd_exec_t)
')
########################################
##
-## Use nscd services by connecting using
-## a unix domain stream socket.
+## Use NSCD services by connecting using
+## a unix stream socket.
##
##
##
@@ -112,22 +112,17 @@ interface(`nscd_socket_use',`
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
-
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
-
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
dontaudit $1 nscd_var_run_t:file read_file_perms;
-
ps_process_pattern(nscd_t, $1)
')
########################################
##
-## Use nscd services by mapping the
-## database from an inherited nscd
-## file descriptor.
+## Use nscd services
##
##
##
@@ -135,28 +130,38 @@ interface(`nscd_socket_use',`
##
##
#
-interface(`nscd_shm_use',`
+interface(`nscd_use',`
+ tunable_policy(`nscd_use_shm',`
+ nscd_shm_use($1)
+ ',`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+##
+## Do not audit attempts to write nscd sock files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nscd_dontaudit_write_sock_file',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
- allow $1 self:unix_stream_socket create_stream_socket_perms;
-
- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- allow $1 nscd_t:fd use;
-
- files_search_pids($1)
- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file read_file_perms;
+ dontaudit $1 nscd_t:sock_file write;
+ dontaudit $1 nscd_var_run_t:sock_file write;
- allow $1 nscd_var_run_t:dir list_dir_perms;
- allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
')
########################################
##
-## Use nscd services.
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
##
##
##
@@ -164,18 +169,34 @@ interface(`nscd_shm_use',`
##
##
#
-interface(`nscd_use',`
- tunable_policy(`nscd_use_shm',`
- nscd_shm_use($1)
- ',`
- nscd_socket_use($1)
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv };
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ # dg: This may not be required.
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
##
-## Do not audit attempts to search
-## nscd pid directories.
+## Do not audit attempts to search the NSCD pid directory.
##
##
##
@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',`
########################################
##
-## Read nscd pid files.
+## Read NSCD pid file.
##
##
##
@@ -212,7 +233,7 @@ interface(`nscd_read_pid',`
########################################
##
-## Unconfined access to nscd services.
+## Unconfined access to NSCD services.
##
##
##
@@ -244,20 +265,20 @@ interface(`nscd_unconfined',`
## Role allowed access.
##
##
+##
#
interface(`nscd_run',`
gen_require(`
- attribute_role nscd_roles;
+ type nscd_t;
')
nscd_domtrans($1)
- roleattribute $2 nscd_roles;
+ role $2 types nscd_t;
')
########################################
##
-## Execute the nscd server init
-## script in the initrc domain.
+## Execute the nscd server init script.
##
##
##
@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',`
########################################
##
-## All of the rules required to
-## administrate an nscd environment.
+## Execute nscd server in the nscd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nscd_systemctl',`
+ gen_require(`
+ type nscd_unit_file_t;
+ type nscd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nscd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nscd environment
##
##
##
@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the nscd domain.
##
##
##
@@ -294,10 +338,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
+ type nscd_unit_file_t;
')
- allow $1 nscd_t:process { ptrace signal_perms };
+ allow $1 nscd_t:process signal_perms;
ps_process_pattern($1, nscd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nscd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -310,5 +358,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
- nscd_run($1, $2)
+ nscd_systemctl($1)
+ admin_pattern($1, nscd_unit_file_t)
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
index bcd7d0a..3878d3c 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
class nscd all_nscd_perms;
')
-########################################
-#
-# Declarations
-#
-
##
##
-## Determine whether confined applications
-## can use nscd shared memory.
+## Allow confined applications to use nscd shared memory.
##
##
gen_tunable(nscd_use_shm, false)
-attribute_role nscd_roles;
+########################################
+#
+# Declarations
+#
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
-init_daemon_run_dir(nscd_var_run_t, "nscd")
+# nscd is both the client program and the daemon.
type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
-role nscd_roles types nscd_t;
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
-allow nscd_t self:unix_stream_socket { accept listen };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
allow nscd_t self:nscd { admin getstat };
-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
+corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-kernel_list_proc(nscd_t)
-kernel_read_kernel_sysctls(nscd_t)
kernel_read_network_state(nscd_t)
+kernel_read_kernel_sysctls(nscd_t)
+kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-corecmd_search_bin(nscd_t)
-
dev_read_sysfs(nscd_t)
dev_read_rand(nscd_t)
dev_read_urand(nscd_t)
-domain_search_all_domains_state(nscd_t)
-domain_use_interactive_fds(nscd_t)
-
-files_read_generic_tmp_symlinks(nscd_t)
-files_read_etc_runtime_files(nscd_t)
-
fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
fs_list_inotifyfs(nscd_t)
+# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_all_recvfrom_unlabeled(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
corenet_tcp_sendrecv_generic_node(nscd_t)
-
-corenet_sendrecv_all_client_packets(nscd_t)
-corenet_tcp_connect_all_ports(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
-
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
+
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
-miscfiles_read_localization(nscd_t)
seutil_read_config(nscd_t)
seutil_read_default_contexts(nscd_t)
seutil_sigchld_newrole(nscd_t)
+sysnet_read_config(nscd_t)
+
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
@@ -121,20 +130,31 @@ optional_policy(`
')
optional_policy(`
+ kerberos_use(nscd_t)
+')
+
+optional_policy(`
+ udev_read_db(nscd_t)
+')
+
+optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+')
+
+optional_policy(`
tunable_policy(`samba_domain_controller',`
samba_append_log(nscd_t)
samba_dontaudit_use_fds(nscd_t)
')
-
- samba_read_config(nscd_t)
- samba_read_var_files(nscd_t)
')
optional_policy(`
- udev_read_db(nscd_t)
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
')
optional_policy(`
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
- xen_append_log(nscd_t)
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b6..5348e92 100644
--- a/nsd.fc
+++ b/nsd.fc
@@ -1,16 +1,13 @@
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
-
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/nsd.if b/nsd.if
index a9c60ff..ad4f14a 100644
--- a/nsd.if
+++ b/nsd.if
@@ -1,8 +1,8 @@
-## Authoritative only name server.
+## Authoritative only name server
########################################
##
-## Send and receive datagrams from NSD. (Deprecated)
+## Read NSD pid file.
##
##
##
@@ -10,13 +10,18 @@
##
##
#
-interface(`nsd_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`nsd_read_pid',`
+ gen_require(`
+ type nsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
')
########################################
##
-## Connect to NSD over a TCP socket (Deprecated)
+## Send and receive datagrams from NSD. (Deprecated)
##
##
##
@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',`
##
##
#
-interface(`nsd_tcp_connect',`
+interface(`nsd_udp_chat',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
##
-## All of the rules required to
-## administrate an nsd environment.
+## Connect to NSD over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`nsd_admin',`
- gen_require(`
- type nsd_t, nsd_conf_t, nsd_var_run_t;
- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t;
- ')
-
- allow $1 nsd_t:process { ptrace signal_perms };
- ps_process_pattern($1, nsd_t)
-
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, { nsd_conf_t nsd_db_t })
-
- files_search_var_lib($1)
- admin_pattern($1, nsd_zone_t)
-
- files_list_pids($1)
- admin_pattern($1, nsd_var_run_t)
+interface(`nsd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
index 47bb1d2..a97c60f 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
type nsd_exec_t;
init_daemon_domain(nsd_t, nsd_exec_t)
-type nsd_initrc_exec_t;
-init_script_file(nsd_initrc_exec_t)
-
+# A type for configuration files of nsd
type nsd_conf_t;
files_type(nsd_conf_t)
@@ -20,32 +18,28 @@ domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t, nsd_exec_t)
role system_r types nsd_crond_t;
-type nsd_db_t;
-files_type(nsd_db_t)
-
type nsd_var_run_t;
files_pid_file(nsd_var_run_t)
-type nsd_zone_t;
+# A type for zone files
+type nsd_zone_t alias nsd_db_t;
files_type(nsd_zone_t)
########################################
#
-# Local policy
+# NSD Local policy
#
allow nsd_t self:capability { chown dac_override kill setgid setuid };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
allow nsd_t self:fifo_file rw_fifo_file_perms;
-allow nsd_t self:tcp_socket { accept listen };
allow nsd_t nsd_conf_t:dir list_dir_perms;
-allow nsd_t nsd_conf_t:file read_file_perms;
-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
-
-allow nsd_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
-corenet_all_recvfrom_unlabeled(nsd_t)
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_generic_node(nsd_t)
corenet_udp_bind_generic_node(nsd_t)
-
-corenet_sendrecv_dns_server_packets(nsd_t)
corenet_tcp_bind_dns_port(nsd_t)
corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
dev_read_sysfs(nsd_t)
+dev_read_urand(nsd_t)
domain_use_interactive_fds(nsd_t)
files_read_etc_runtime_files(nsd_t)
+files_search_var_lib(nsd_t)
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t)
logging_send_syslog_msg(nsd_t)
-miscfiles_read_localization(nsd_t)
-
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
@@ -105,23 +97,24 @@ optional_policy(`
########################################
#
-# Cron local policy
+# Zone update cron job local policy
#
+# kill capability for root cron job and non-root daemon
allow nsd_crond_t self:capability { dac_override kill };
dontaudit nsd_crond_t self:capability sys_nice;
allow nsd_crond_t self:process { setsched signal_perms };
allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
-allow nsd_crond_t nsd_t:process signal;
-ps_process_pattern(nsd_crond_t, nsd_t)
-
-allow nsd_crond_t nsd_conf_t:dir list_dir_perms;
allow nsd_crond_t nsd_conf_t:file read_file_perms;
-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms;
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_all_recvfrom_unlabeled(nsd_crond_t)
corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_generic_node(nsd_crond_t)
-
-corenet_sendrecv_all_client_packets(nsd_crond_t)
-corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
auth_use_nsswitch(nsd_crond_t)
logging_send_syslog_msg(nsd_crond_t)
-miscfiles_read_localization(nsd_crond_t)
-
userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
optional_policy(`
diff --git a/nslcd.fc b/nslcd.fc
index 402100e..ce913b2 100644
--- a/nslcd.fc
+++ b/nslcd.fc
@@ -1,7 +1,4 @@
-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
-
-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
-
-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
-
-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
index 97df768..852d1c6 100644
--- a/nslcd.if
+++ b/nslcd.if
@@ -1,4 +1,4 @@
-## Local LDAP name service daemon.
+## nslcd - local LDAP name service daemon.
########################################
##
@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',`
########################################
##
-## Read nslcd pid files.
+## Read nslcd PID files.
##
##
##
@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',`
########################################
##
-## Connect to nslcd over an unix
-## domain stream socket.
+## Dontaudit write to nslcd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nslcd_dontaudit_write_ock_file',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ dontaudit $1 nslcd_var_run_t:sock_file write;
+')
+
+########################################
+##
+## Connect to nslcd over an unix stream socket.
##
##
##
@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',`
type nslcd_t, nslcd_var_run_t;
')
- files_search_pids($1)
stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
+')
+
+#######################################
+##
+## Do not audit attempts to write nslcd sock files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nslcd_dontaudit_write_sock_file',`
+ gen_require(`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+ dontaudit $1 nslcd_t:sock_file write;
+ dontaudit $1 nslcd_var_run_t:sock_file write;
')
########################################
##
-## All of the rules required to
-## administrate an nslcd environment.
+## All of the rules required to administrate
+## an nslcd environment
##
##
##
@@ -99,17 +134,21 @@ interface(`nslcd_admin',`
type nslcd_conf_t;
')
- allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
+ allow $1 nslcd_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nslcd_t:process ptrace;
+ ')
+ # Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, nslcd_conf_t)
- files_search_pids($1)
- admin_pattern($1, nslcd_var_run_t)
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
index 421bf1a..b80dbe5 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
########################################
#
-# Local policy
+# nslcd local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
+dev_read_sysfs(nslcd_t)
+
corenet_all_recvfrom_unlabeled(nslcd_t)
corenet_all_recvfrom_netlabel(nslcd_t)
-corenet_tcp_sendrecv_generic_if(nslcd_t)
-corenet_tcp_sendrecv_generic_node(nslcd_t)
-
-corenet_sendrecv_ldap_client_packets(nslcd_t)
corenet_tcp_connect_ldap_port(nslcd_t)
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
+corenet_sendrecv_ldap_client_packets(nslcd_t)
dev_read_sysfs(nslcd_t)
@@ -54,10 +52,14 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
-miscfiles_read_localization(nslcd_t)
userdom_read_user_tmp_files(nslcd_t)
optional_policy(`
+ dirsrv_stream_connect(nslcd_t)
+')
+
+optional_policy(`
ldap_stream_connect(nslcd_t)
')
+
diff --git a/nsplugin.fc b/nsplugin.fc
new file mode 100644
index 0000000..22e6c96
--- /dev/null
+++ b/nsplugin.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/nsplugin.if b/nsplugin.if
new file mode 100644
index 0000000..16f4789
--- /dev/null
+++ b/nsplugin.if
@@ -0,0 +1,474 @@
+
+## policy for nsplugin
+
+########################################
+##
+## Create, read, write, and delete
+## nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Manage nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
+ class dbus send_msg;
+ ')
+
+ role $1 types nsplugin_t;
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
+ dontaudit nsplugin_t $2:shm destroy;
+ allow $2 nsplugin_t:sem rw_sem_perms;
+
+ allow $2 nsplugin_t:process { getattr signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ optional_policy(`
+ gnome_stream_connect(nsplugin_t, $2)
+ ')
+
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmpfs_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
+ ')
+')
+
+#######################################
+##
+## Role access for nsplugin
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_role',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_role_notrans($1, $2)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_domtrans_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+##
+## Search nsplugin rw directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+##
+## Read nsplugin home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_read_home',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## Exec nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## nsplugin home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## manage nnsplugin home dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_home_dirs',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## Allow attempts to read and write to
+## nsplugin named pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nsplugin_rw_pipes',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write to nsplugin shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_shm',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+##
+## Allow read and write access to nsplugin semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_semaphores',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+##
+## Execute nsplugin_exec_t
+## in the specified domain.
+##
+##
+##
+## Execute a nsplugin_exec_t
+## in the specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`nsplugin_exec_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ ')
+
+ allow $2 nsplugin_exec_t:file entrypoint;
+ domtrans_pattern($1, nsplugin_exec_t, $2)
+')
+
+########################################
+##
+## Send generic signals to user nsplugin processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_signal',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signal;
+')
+
+########################################
+##
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+##
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+#
+interface(`nsplugin_user_home_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
+
+########################################
+##
+## Send signull signal to nsplugin
+## processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_signull',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signull;
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
index 0000000..7d839fe
--- /dev/null
+++ b/nsplugin.te
@@ -0,0 +1,318 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow nsplugin code to execmem/execstack
+##
+##
+gen_tunable(nsplugin_execmem, false)
+
+##
+##
+## Allow nsplugin code to connect to unreserved ports
+##
+##
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+application_domain(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_ms_streaming_port(nsplugin_t)
+corenet_tcp_connect_rtsp_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_urand(nsplugin_t)
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_getattr_mouse_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_read_sysfs(nsplugin_t)
+dev_dontaudit_getattr_all(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+kernel_read_network_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+userdom_read_home_audio_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ chrome_dontaudit_sandbox_leaks(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(nsplugin_t)
+ dbus_connect_session_bus(nsplugin_t)
+ dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+ gnome_read_usr_config(nsplugin_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(nsplugin_t)
+')
+
+optional_policy(`
+ mozilla_exec_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
+ xserver_use_user_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+domain_use_interactive_fds(nsplugin_config_t)
+
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_manage_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_manage_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_config_t)
+ mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+ devicekit_dbus_chat_power(nsplugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(nsplugin_t)
+ pulseaudio_stream_connect(nsplugin_t)
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
index 8ec7859..719cffd 100644
--- a/ntop.te
+++ b/ntop.te
@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:netlink_socket create_socket_perms;
allow ntop_t self:tcp_socket { accept listen };
allow ntop_t self:unix_stream_socket { accept listen };
allow ntop_t self:packet_socket create_socket_perms;
@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
-corenet_all_recvfrom_unlabeled(ntop_t)
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
dev_read_sysfs(ntop_t)
dev_rw_generic_usb_dev(ntop_t)
+dev_read_usbmon_dev(ntop_t)
+dev_write_usbmon_dev(ntop_t)
domain_use_interactive_fds(ntop_t)
-files_read_usr_files(ntop_t)
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
diff --git a/ntp.fc b/ntp.fc
index af3c91e..6882a3f 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -13,6 +13,8 @@
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/ntp.if b/ntp.if
index e96a309..c6d1b01 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
-## Network time protocol daemon.
+## Network time protocol daemon
########################################
##
@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
########################################
##
+## Execute ntp server in the caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_exec',`
+ gen_require(`
+ type ntpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ntpd_exec_t)
+')
+
+########################################
+##
## Execute ntp in the ntp domain, and
## allow the specified role the ntp domain.
##
@@ -54,11 +73,11 @@ interface(`ntp_domtrans',`
#
interface(`ntp_run',`
gen_require(`
- attribute_role ntpd_roles;
+ type ntpd_t;
')
ntp_domtrans($1)
- roleattribute $2 ntpd_roles;
+ role $2 types ntpd_t;
')
########################################
@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
+#####################################
+##
+## Allow domain to read ntpd systemd unit files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_read_unit_file',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute ntpd server in the ntpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_systemctl',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
+
########################################
##
## Read ntp drift files.
@@ -141,8 +202,27 @@ interface(`ntp_rw_shm',`
########################################
##
-## All of the rules required to
-## administrate an ntp environment.
+## Allow the domain to read ntpd state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_read_state',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ntp environment
##
##
##
@@ -151,28 +231,32 @@ interface(`ntp_rw_shm',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the ntp domain.
##
##
##
#
interface(`ntp_admin',`
gen_require(`
- type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
- type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+ type ntpd_unit_file_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms };
+ allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ntpd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, { ntpd_key_t ntp_conf_t })
+ admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
@@ -186,5 +270,28 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
- ntp_run($1, $2)
+ ntp_systemctl($1)
+ admin_pattern($1, ntpd_unit_file_t)
+ allow $1 ntpd_unit_file_t:service all_service_perms;
+
+ ntp_filetrans_named_content($1)
+')
+
+########################################
+##
+## Transition content labels to ntp named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_filetrans_named_content',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
')
diff --git a/ntp.te b/ntp.te
index f81b113..8d889d8 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
type ntp_conf_t;
files_config_file(ntp_conf_t)
@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
-corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
corenet_tcp_sendrecv_generic_node(ntpd_t)
corenet_udp_sendrecv_generic_node(ntpd_t)
corenet_udp_bind_generic_node(ntpd_t)
-
-corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
-corenet_udp_sendrecv_ntp_port(ntpd_t)
-
-corenet_sendrecv_ntp_client_packets(ntpd_t)
corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
-files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
+term_use_unallocated_ttys(ntpd_t)
auth_use_nsswitch(ntpd_t)
@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
-miscfiles_read_localization(ntpd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
diff --git a/numad.fc b/numad.fc
index 3488bb0..1f97624 100644
--- a/numad.fc
+++ b/numad.fc
@@ -1,7 +1,7 @@
-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0)
+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0)
+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
index 0d3c270..709dda1 100644
--- a/numad.if
+++ b/numad.if
@@ -1,39 +1,72 @@
-## Non-Uniform Memory Alignment Daemon.
+## policy for numad
+
+########################################
+##
+## Transition to numad.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`numad_domtrans',`
+ gen_require(`
+ type numad_t, numad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, numad_exec_t, numad_t)
+')
########################################
##
-## All of the rules required to
-## administrate an numad environment.
+## Execute numad server in the numad domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
+#
+interface(`numad_systemctl',`
+ gen_require(`
+ type numad_t;
+ type numad_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 numad_unit_file_t:file read_file_perms;
+ allow $1 numad_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, numad_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an numad environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
interface(`numad_admin',`
gen_require(`
- type numad_t, numad_initrc_exec_t, numad_log_t;
- type numad_var_run_t;
+ type numad_t;
+ type numad_unit_file_t;
')
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, numad_log_t)
-
- files_search_pids($1)
- admin_pattern($1, numad_var_run_t)
+ numad_systemctl($1)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/numad.te b/numad.te
index b0a1be4..239f27a 100644
--- a/numad.te
+++ b/numad.te
@@ -8,29 +8,29 @@ policy_module(numad, 1.1.0)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
-application_executable_file(numad_exec_t)
-type numad_initrc_exec_t;
-init_script_file(numad_initrc_exec_t)
+type numad_unit_file_t;
+systemd_unit_file(numad_unit_file_t)
-type numad_log_t;
-logging_log_file(numad_log_t)
+type numad_var_log_t;
+logging_log_file(numad_var_log_t)
type numad_var_run_t;
files_pid_file(numad_var_run_t)
########################################
#
-# Local policy
+# numad local policy
#
+allow numad_t self:capability sys_ptrace;
allow numad_t self:fifo_file rw_fifo_file_perms;
-allow numad_t self:msg { send receive };
allow numad_t self:msgq create_msgq_perms;
+allow numad_t self:msg { send receive };
allow numad_t self:unix_stream_socket create_stream_socket_perms;
-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(numad_t, numad_log_t, file)
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
+logging_log_filetrans(numad_t, numad_var_log_t, file)
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
files_pid_filetrans(numad_t, numad_var_run_t, file)
@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
dev_read_sysfs(numad_t)
-files_read_etc_files(numad_t)
+domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t)
+
+fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t)
-miscfiles_read_localization(numad_t)
+tunable_policy(`deny_ptrace',`',`
+ virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
index 379af96..41ff159 100644
--- a/nut.fc
+++ b/nut.fc
@@ -1,23 +1,16 @@
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
index 57c0161..54bd4d7 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,24 @@
-## Network UPS Tools
+## nut - Network UPS Tools
-########################################
+#######################################
##
-## All of the rules required to
-## administrate an nut environment.
+## Execute swift server in the swift domain.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed to transition.
+##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`nut_admin',`
- gen_require(`
- attribute nut_domain;
- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
- ')
-
- allow $1 nut_domain:process { ptrace signal_perms };
- ps_process_pattern($1, nut_domain_t)
-
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+interface(`nut_systemctl',`
+ gen_require(`
+ type nut_t;
+ type nut_unit_file_t;
+ ')
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
+ systemd_exec_systemctl($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
index 5b2cb0d..1701352 100644
--- a/nut.te
+++ b/nut.te
@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
-type nut_initrc_exec_t;
-init_script_file(nut_initrc_exec_t)
-
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
+
+#######################################
#
-# Common nut domain local policy
+# Local policy for upsd
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
-allow nut_domain self:process signal_perms;
-allow nut_domain self:fifo_file rw_fifo_file_perms;
-allow nut_domain self:unix_dgram_socket sendto;
-
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-
-kernel_read_kernel_sysctls(nut_domain)
-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
########################################
#
-# Upsd local policy
+# Local policy for upsd
#
-allow nut_upsd_t self:tcp_socket { accept listen };
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+allow nut_upsd_t self:process signal_perms;
-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
-corenet_tcp_bind_ups_port(nut_upsd_t)
+# pid file
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
-corenet_tcp_bind_generic_port(nut_upsd_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
-files_read_usr_files(nut_upsd_t)
+corenet_tcp_bind_ups_port(nut_upsd_t)
+corenet_tcp_bind_generic_port(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
auth_use_nsswitch(nut_upsd_t)
+logging_send_syslog_msg(nut_upsd_t)
+
########################################
#
-# Upsmon local policy
+# Local policy for upsmon
#
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)
-corenet_all_recvfrom_unlabeled(nut_upsmon_t)
-corenet_all_recvfrom_netlabel(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_if(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_node(nut_upsmon_t)
-corenet_tcp_sendrecv_all_ports(nut_upsmon_t)
-corenet_tcp_bind_generic_node(nut_upsmon_t)
-
-corenet_sendrecv_ups_client_packets(nut_upsmon_t)
corenet_tcp_connect_ups_port(nut_upsmon_t)
-
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
+# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
files_search_usr(nut_upsmon_t)
+# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
+logging_send_syslog_msg(nut_upsmon_t)
+
auth_use_nsswitch(nut_upsmon_t)
mta_send_mail(nut_upsmon_t)
+systemd_start_power_services(nut_upsmon_t)
+
optional_policy(`
shutdown_domtrans(nut_upsmon_t)
')
########################################
#
-# Upsdrvctl local policy
+# Local policy for upsdrvctl
#
+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
+allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
+term_use_usb_ttys(nut_upsdrvctl_t)
auth_use_nsswitch(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
+logging_send_syslog_msg(nut_upsdrvctl_t)
+
+
#######################################
#
-# Cgi local policy
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
#
optional_policy(`
apache_content_template(nutups_cgi)
- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
')
diff --git a/nx.if b/nx.if
index 251d681..50ae2a9 100644
--- a/nx.if
+++ b/nx.if
@@ -35,7 +35,9 @@ interface(`nx_read_home_files',`
')
files_search_var_lib($1)
- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
')
########################################
@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',`
filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
')
+
+########################################
+##
+## Transition to nx named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_filetrans_named_content',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
index 091f872..62a0b12 100644
--- a/nx.te
+++ b/nx.te
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# Local policy
@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_all_recvfrom_unlabeled(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_generic_node(nx_server_t)
@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t)
dev_read_urand(nx_server_t)
-files_read_etc_files(nx_server_t)
files_read_etc_runtime_files(nx_server_t)
-files_read_usr_files(nx_server_t)
-
-miscfiles_read_localization(nx_server_t)
-
-seutil_dontaudit_search_config(nx_server_t)
sysnet_read_config(nx_server_t)
diff --git a/oav.te b/oav.te
index b09c4c4..995c3f6 100644
--- a/oav.te
+++ b/oav.te
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
domain_use_interactive_fds(scannerdaemon_t)
files_exec_etc_files(scannerdaemon_t)
-files_read_etc_files(scannerdaemon_t)
files_read_etc_runtime_files(scannerdaemon_t)
files_search_var_lib(scannerdaemon_t)
diff --git a/obex.fc b/obex.fc
index 03fa560..000c5fe 100644
--- a/obex.fc
+++ b/obex.fc
@@ -1 +1 @@
-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
index 8635ea2..eec20b4 100644
--- a/obex.if
+++ b/obex.if
@@ -1,15 +1,50 @@
## D-Bus service providing high-level OBEX client and server side functionality.
-#######################################
+########################################
##
-## The role template for obex.
+## Transition to obex.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`obex_domtrans',`
+ gen_require(`
+ type obex_t, obex_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, obex_exec_t, obex_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## obex over dbus.
+##
+##
+##
+## Domain allowed access.
+##
##
+#
+interface(`obex_dbus_chat',`
+ gen_require(`
+ type obex_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
+')
+
+#######################################
+##
+## Role access for obex domains
+## that executes via dbus-session
+##
##
##
## The role associated with the user domain.
@@ -20,69 +55,34 @@
## The type of the user domain.
##
##
+##
+##
+## User domain prefix to be used.
+##
+##
#
-template(`obex_role_template',`
+template(`obex_role',`
gen_require(`
attribute_role obex_roles;
- type obex_t, obex_exec_exec_t;
+ type obex_t, obex_exec_t;
')
########################################
- #
+ #
# Declarations
#
- roleattribute $2 obex_roles;
+ roleattribute $1 obex_roles;
########################################
- #
+ #
# Policy
- #
-
- allow $3 obex_t:process { ptrace signal_perms };
- ps_process_pattern($3, obex_t)
+ #
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
-
- obex_dbus_chat($3)
-')
+ allow $2 obex_t:process signal_perms;
+ ps_process_pattern($2, obex_t)
-########################################
-##
-## Execute obex in the obex domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`obex_domtrans',`
- gen_require(`
- type obex_t, obex_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, obex_exec_t, obex_t)
-')
-
-########################################
-##
-## Send and receive messages from
-## obex over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`obex_dbus_chat',`
- gen_require(`
- type obex_t;
- class dbus send_msg;
- ')
+ dbus_session_domain($3, obex_exec_t, obex_t)
- allow $1 obex_t:dbus send_msg;
- allow obex_t $1:dbus send_msg;
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
index cd29ea8..d01d2c8 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.0)
+policy_module(obex,1.0.0)
########################################
#
@@ -14,30 +14,26 @@ role obex_roles types obex_t;
########################################
#
-# Local policy
+# obex local policy
#
allow obex_t self:fifo_file rw_fifo_file_perms;
allow obex_t self:socket create_stream_socket_perms;
+allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
-files_read_etc_files(obex_t)
+dev_read_urand(obex_t)
logging_send_syslog_msg(obex_t)
-miscfiles_read_localization(obex_t)
-
userdom_search_user_home_content(obex_t)
optional_policy(`
- bluetooth_stream_connect(obex_t)
-')
-
-optional_policy(`
dbus_system_bus_client(obex_t)
optional_policy(`
+ bluetooth_stream_connect(obex_t)
bluetooth_dbus_chat(obex_t)
')
')
diff --git a/oddjob.fc b/oddjob.fc
index dd1d9ef..fbbe3ff 100644
--- a/oddjob.fc
+++ b/oddjob.fc
@@ -1,10 +1,10 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0)
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
index c87bd2a..7de054a 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
-## D-BUS service which runs odd jobs on behalf of client applications.
+##
+## Oddjob provides a mechanism by which unprivileged applications can
+## request that specified privileged operations be performed on their
+## behalf.
+##
########################################
##
@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',`
type oddjob_t, oddjob_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
+#####################################
+##
+## Do not audit attempts to read and write
+## oddjob fifo file.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
##
-## Make the specified program domain
-## accessable from the oddjob.
+## Make the specified program domain accessable
+## from the oddjob.
##
##
##
@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',`
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',`
allow oddjob_t $1:dbus send_msg;
')
-########################################
+######################################
##
-## Execute a domain transition to
-## run oddjob mkhomedir.
+## Send a SIGCHLD signal to oddjob.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
+interface(`oddjob_sigchld',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ allow $1 oddjob_t:process sigchld;
+')
+
+########################################
+##
+## Execute a domain transition to run oddjob_mkhomedir.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
########################################
##
-## Execute oddjob mkhomedir in the
-## oddjob mkhomedir domain and allow
-## the specified role the oddjob
-## mkhomedir domain.
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
##
##
##
@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
- attribute_role oddjob_mkhomedir_roles;
+ type oddjob_mkhomedir_t;
')
oddjob_domtrans_mkhomedir($1)
- roleattribute $2 oddjob_mkhomedir_roles;
+ role $2 types oddjob_mkhomedir_t;
')
-#####################################
+#######################################
##
-## Do not audit attempts to read and write
-## oddjob fifo files.
+## Execute oddjob in the oddjob domain.
##
##
-##
-## Domain to not audit.
-##
+##
+## Domain allowed to transition.
+##
##
#
-interface(`oddjob_dontaudit_rw_fifo_files',`
- gen_require(`
- type oddjob_t;
- ')
+interface(`oddjob_systemctl',`
+ gen_require(`
+ type oddjob_unit_file_t;
+ type oddjob_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 oddjob_unit_file_t:file read_file_perms;
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
+ ps_process_pattern($1, oddjob_t)
')
-######################################
+########################################
##
-## Send child terminated signals to oddjob.
+## Create a domain which can be started by init,
+## with a range transition.
##
##
##
-## Domain allowed access.
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+##
+## Range for the domain.
##
##
#
-interface(`oddjob_sigchld',`
+interface(`oddjob_ranged_domain',`
gen_require(`
type oddjob_t;
')
- allow $1 oddjob_t:process sigchld;
+ oddjob_system_entry($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition oddjob_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition oddjob_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
diff --git a/oddjob.te b/oddjob.te
index e403097..868981b 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
# Declarations
#
-attribute_role oddjob_mkhomedir_roles;
-
type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t;
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
+type oddjob_unit_file_t;
+systemd_unit_file(oddjob_unit_file_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
')
########################################
#
-# Local policy
+# oddjob local policy
#
allow oddjob_t self:capability setgid;
@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
-
kernel_read_system_state(oddjob_t)
corecmd_exec_bin(oddjob_t)
@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
selinux_compute_create_context(oddjob_t)
+
auth_use_nsswitch(oddjob_t)
-miscfiles_read_localization(oddjob_t)
locallogin_dontaudit_use_fds(oddjob_t)
@@ -71,13 +71,13 @@ optional_policy(`
########################################
#
-# Mkhomedir local policy
+# oddjob_mkhomedir local policy
#
allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(oddjob_mkhomedir_t)
@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
-miscfiles_read_localization(oddjob_mkhomedir_t)
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
+# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
+
diff --git a/openct.te b/openct.te
index 3b6920e..3e9b17f 100644
--- a/openct.te
+++ b/openct.te
@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
-can_exec(openct_t, openct_exec_t)
-
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
kernel_read_proc_symlinks(openct_t)
+can_exec(openct_t, openct_exec_t)
+
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
-files_read_etc_files(openct_t)
fs_getattr_all_fs(openct_t)
fs_search_auto_mountpoints(openct_t)
logging_send_syslog_msg(openct_t)
-miscfiles_read_localization(openct_t)
-
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/openhpi.te b/openhpi.te
index 8de6191..13fa6d2 100644
--- a/openhpi.te
+++ b/openhpi.te
@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
-files_read_etc_files(openhpid_t)
logging_send_syslog_msg(openhpid_t)
diff --git a/openhpid.fc b/openhpid.fc
new file mode 100644
index 0000000..9441fd7
--- /dev/null
+++ b/openhpid.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+
+/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
+
+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
+
+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
diff --git a/openhpid.if b/openhpid.if
new file mode 100644
index 0000000..598789a
--- /dev/null
+++ b/openhpid.if
@@ -0,0 +1,159 @@
+
+## policy for openhpid
+
+
+########################################
+##
+## Transition to openhpid.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openhpid_domtrans',`
+ gen_require(`
+ type openhpid_t, openhpid_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
+')
+
+
+########################################
+##
+## Execute openhpid server in the openhpid domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_initrc_domtrans',`
+ gen_require(`
+ type openhpid_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+')
+
+
+########################################
+##
+## Search openhpid lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_search_lib',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ allow $1 openhpid_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read openhpid lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_read_lib_files',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+##
+## Manage openhpid lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_manage_lib_files',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+##
+## Manage openhpid lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openhpid_manage_lib_dirs',`
+ gen_require(`
+ type openhpid_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openhpid environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`openhpid_admin',`
+ gen_require(`
+ type openhpid_t;
+ type openhpid_initrc_exec_t;
+ type openhpid_var_lib_t;
+ ')
+
+ allow $1 openhpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openhpid_t)
+
+ openhpid_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 openhpid_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, openhpid_var_lib_t)
+
+
+
+')
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
index 0000000..51acfae
--- /dev/null
+++ b/openhpid.te
@@ -0,0 +1,47 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openhpid_t;
+type openhpid_exec_t;
+init_daemon_domain(openhpid_t, openhpid_exec_t)
+
+type openhpid_initrc_exec_t;
+init_script_file(openhpid_initrc_exec_t)
+
+type openhpid_var_lib_t;
+files_type(openhpid_var_lib_t)
+
+type openhpid_var_run_t;
+files_pid_file(openhpid_var_run_t)
+
+########################################
+#
+# openhpid local policy
+#
+
+allow openhpid_t self:capability { kill };
+allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
+allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
+allow openhpid_t self:tcp_socket create_stream_socket_perms;
+allow openhpid_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
+
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
+
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
+
+logging_send_syslog_msg(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 0000000..30ca148
--- /dev/null
+++ b/openshift-origin.fc
@@ -0,0 +1 @@
+# Left Blank
diff --git a/openshift-origin.if b/openshift-origin.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/openshift-origin.if
@@ -0,0 +1 @@
+##
diff --git a/openshift-origin.te b/openshift-origin.te
new file mode 100644
index 0000000..a437f80
--- /dev/null
+++ b/openshift-origin.te
@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
+')
+
+########################################
+#
+# openshift origin standard local policy
+#
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
index 0000000..0dc672f
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,27 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0)
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
+/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
index 0000000..cf03270
--- /dev/null
+++ b/openshift.if
@@ -0,0 +1,702 @@
+
+## policy for openshift
+
+########################################
+##
+## Execute openshift server in the openshift domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`openshift_initrc_domtrans',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_initrc_exec_t;
+ ')
+
+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
+')
+
+#######################################
+##
+## Execute openshift server in the openshift domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## Role access to this domain.
+##
+##
+#
+interface(`openshift_initrc_run',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_initrc_exec_t;
+ ')
+
+ openshift_initrc_domtrans($1)
+ role $2 types openshift_initrc_t;
+')
+
+########################################
+##
+## Send a null signal to openshift init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_initrc_signull',`
+ gen_require(`
+ type openshift_initrc_t;
+ ')
+
+ allow $1 openshift_initrc_t:process signull;
+')
+
+#######################################
+##
+## Send a signal to openshift init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_initrc_signal',`
+ gen_require(`
+ type openshift_initrc_t;
+ ')
+
+ allow $1 openshift_initrc_t:process signal;
+')
+
+########################################
+##
+## Search openshift cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_search_cache',`
+ gen_require(`
+ type openshift_cache_t;
+ ')
+
+ allow $1 openshift_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read openshift cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_read_cache_files',`
+ gen_require(`
+ type openshift_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, openshift_cache_t, openshift_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_cache_files',`
+ gen_require(`
+ type openshift_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_cache_dirs',`
+ gen_require(`
+ type openshift_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
+')
+
+
+########################################
+##
+## Allow the specified domain to read openshift's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openshift_read_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## openshift log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openshift_append_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+##
+## Allow domain to manage openshift log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`openshift_manage_log',`
+ gen_require(`
+ type openshift_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
+ manage_files_pattern($1, openshift_log_t, openshift_log_t)
+ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+##
+## Search openshift lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_search_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Getattr openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_getattr_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_read_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Read openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_append_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_lib_files',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## openshift lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_lib_dirs',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+##
+## Manage openshift lib content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_content',`
+ gen_require(`
+ attribute openshift_file_type;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
+ manage_files_pattern($1, openshift_file_type, openshift_file_type)
+ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+')
+
+#######################################
+##
+## Create private objects in the
+## mail lib directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`openshift_lib_filetrans',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
+')
+
+########################################
+##
+## Read openshift PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_read_pid_files',`
+ gen_require(`
+ type openshift_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 openshift_var_run_t:file read_file_perms;
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openshift environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`openshift_admin',`
+ gen_require(`
+ attribute openshift_domain;
+ type openshift_initrc_exec_t;
+ type openshift_cache_t;
+ type openshift_log_t;
+ type openshift_var_lib_t;
+ type openshift_var_run_t;
+ ')
+
+ allow $1 openshift_domain:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openshift_domain:process ptrace;
+ ')
+ ps_process_pattern($1, openshift_domain)
+
+ openshift_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 openshift_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var($1)
+ admin_pattern($1, openshift_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, openshift_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, openshift_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, openshift_var_run_t)
+
+')
+
+########################################
+##
+## Make the specified type usable as a openshift domain.
+##
+##
+##
+## The prefix of the domain (e.g., openshift
+## is the prefix for openshift_t).
+##
+##
+#
+template(`openshift_service_domain_template',`
+ gen_require(`
+ attribute openshift_domain;
+ attribute openshift_user_domain;
+ ')
+
+ type $1_t;
+ typeattribute $1_t openshift_domain, openshift_user_domain;
+ domain_type($1_t)
+ role system_r types $1_t;
+ mcs_constrained($1_t)
+ domain_user_exemption_target($1_t)
+ auth_use_nsswitch($1_t)
+ domain_subj_id_change_exemption($1_t)
+ domain_obj_id_change_exemption($1_t)
+ domain_dyntrans_type($1_t)
+
+ kernel_read_system_state($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ type $1_app_t;
+ typeattribute $1_app_t openshift_domain;
+ domain_type($1_app_t)
+ role system_r types $1_app_t;
+ mcs_constrained($1_app_t)
+ domain_user_exemption_target($1_app_t)
+ domain_obj_id_change_exemption($1_app_t)
+ domain_dyntrans_type($1_app_t)
+ auth_use_nsswitch($1_app_t)
+
+ kernel_read_system_state($1_app_t)
+
+ logging_send_syslog_msg($1_app_t)
+')
+
+########################################
+##
+## Make the specified type usable as a openshift domain.
+##
+##
+##
+## Type to be used as a openshift domain type.
+##
+##
+#
+interface(`openshift_net_type',`
+ gen_require(`
+ attribute openshift_net_domain;
+ ')
+
+ typeattribute $1 openshift_net_domain;
+')
+
+########################################
+##
+## Read and write inherited openshift files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_rw_inherited_content',`
+ gen_require(`
+ attribute openshift_file_type;
+ ')
+
+ allow $1 openshift_file_type:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Manage openshift tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_tmp_files',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+##
+## Manage openshift tmp sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_manage_tmp_sockets',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+##
+## Mounton openshift tmp directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_mounton_tmp',`
+ gen_require(`
+ type openshift_tmp_t;
+ ')
+
+ allow $1 openshift_tmp_t:dir mounton;
+')
+
+########################################
+##
+## Dontaudit Read and write inherited script fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+ gen_require(`
+ type openshift_initrc_t;
+ type openshift_t;
+ ')
+
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Allow calling app to transition to an openshift domain
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+#
+interface(`openshift_transition',`
+ gen_require(`
+ attribute openshift_user_domain;
+ ')
+
+ allow $1 openshift_user_domain:process transition;
+ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
+ allow openshift_user_domain $1:fd use;
+ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ allow openshift_user_domain $1:process sigchld;
+ dontaudit $1 openshift_user_domain:socket_class_set { read write };
+')
+
+########################################
+##
+## Allow calling app to transition to an openshift domain
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+#
+interface(`openshift_dyntransition',`
+ gen_require(`
+ attribute openshift_domain;
+ attribute openshift_user_domain;
+ ')
+
+ allow $1 openshift_user_domain:process dyntransition;
+ dontaudit openshift_user_domain $1:key view;
+ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
+ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
+ allow $1 openshift_user_domain:process { rlimitinh signal };
+ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
+')
+
+########################################
+##
+## Execute openshift in the openshift domain, and
+## allow the specified role the openshift domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`openshift_run',`
+ gen_require(`
+ type openshift_initrc_exec_t;
+ ')
+
+ openshift_initrc_domtrans($1)
+ role_transition $2 openshift_initrc_exec_t system_r;
+ openshift_transition($1)
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 0000000..3c4beaf
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,558 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
+ role system_r;
+')
+
+########################################
+#
+# Declarations
+#
+
+
+# openshift applications that can use the network.
+attribute openshift_net_domain;
+# Attribute representing all openshift user processes (excludes apache processes)
+attribute openshift_user_domain;
+# Attribute representing all openshift processes
+attribute openshift_domain;
+
+# Attribute for all openshift content
+attribute openshift_file_type;
+
+# Type of openshift init script
+type openshift_initrc_t;
+type openshift_initrc_exec_t;
+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+domain_obj_id_change_exemption(openshift_initrc_t)
+optional_policy(`
+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+')
+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
+type openshift_tmpfs_t;
+files_tmpfs_file(openshift_tmpfs_t)
+
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
+files_poly(openshift_tmp_t)
+files_poly_parent(openshift_tmp_t)
+
+type openshift_var_run_t;
+files_pid_file(openshift_var_run_t)
+
+type openshift_var_lib_t, openshift_file_type;
+userdom_user_home_content(openshift_var_lib_t)
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
+files_mountpoint(openshift_var_lib_t)
+
+type openshift_rw_file_t, openshift_file_type;
+files_poly(openshift_rw_file_t)
+files_poly_parent(openshift_rw_file_t)
+
+type openshift_log_t;
+logging_log_file(openshift_log_t)
+
+type openshift_port_t;
+corenet_port(openshift_port_t)
+corenet_reserved_port(openshift_port_t)
+
+type openshift_cgroup_read_t;
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
+type openshift_cgroup_read_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cgroup_read_tmp_t)
+
+type openshift_cron_t;
+type openshift_cron_exec_t;
+domain_type(openshift_cron_t)
+domain_entry_file(openshift_cron_t, openshift_cron_exec_t)
+role system_r types openshift_cron_t;
+
+optional_policy(`
+ cron_system_entry(openshift_cron_t, openshift_cron_exec_t)
+')
+
+type openshift_cron_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cron_tmp_t)
+
+########################################
+#
+# Template to create openshift_t and openshift_app_t
+#
+
+openshift_service_domain_template(openshift)
+
+########################################
+#
+# openshift initrc local policy
+#
+
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
+virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
+
+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow openshift_domain openshift_initrc_t:fd use;
+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_initrc_t:process sigchld;
+dontaudit openshift_domain openshift_initrc_t:key view;
+dontaudit openshift_domain openshift_initrc_t:process signull;
+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
+
+init_domtrans_script(openshift_initrc_t)
+init_initrc_domain(openshift_initrc_t)
+
+#######################################################
+#
+# Policy for all openshift domains
+#
+allow openshift_domain self:process ~ptrace;
+tunable_policy(`deny_ptrace',`',`
+ allow openshift_domain self:process ptrace;
+')
+
+allow openshift_domain self:msg all_msg_perms;
+allow openshift_domain self:msgq create_msgq_perms;
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
+dontaudit openshift_domain self:rawip_socket create_socket_perms;
+
+dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
+allow openshift_domain self:tcp_socket create_stream_socket_perms;
+allow openshift_domain self:fifo_file manage_fifo_file_perms;
+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
+
+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+allow openshift_domain openshift_file_type:file execmod;
+can_exec(openshift_domain, openshift_file_type)
+allow openshift_domain openshift_file_type:file entrypoint;
+# Allow users to execute files in their home dir
+allow openshift_domain openshift_file_type:file { execute execute_no_trans };
+
+# Dontaudit openshift domains trying to search other openshift domains directories,
+# this happens just when users are probing the system
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
+can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
+
+#lsof
+allow openshift_domain openshift_initrc_t:tcp_socket getattr;
+
+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
+dontaudit openshift_domain openshift_var_run_t:file append;
+dontaudit openshift_domain openshift_file_type:sock_file execute;
+
+kernel_read_network_state(openshift_domain)
+kernel_dontaudit_list_all_proc(openshift_domain)
+kernel_dontaudit_list_all_sysctls(openshift_domain)
+kernel_dontaudit_request_load_module(openshift_domain)
+kernel_get_sysvipc_info(openshift_domain)
+
+corecmd_shell_entry_type(openshift_domain)
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
+dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_read_urand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
+dev_dontaudit_getattr_all_chr_files(openshift_domain)
+dev_dontaudit_all_access_check(openshift_domain)
+
+domain_use_interactive_fds(openshift_domain)
+domain_dontaudit_read_all_domains_state(openshift_domain)
+
+files_read_var_lib_symlinks(openshift_domain)
+
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
+fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
+fs_dontaudit_list_tmpfs(openshift_domain)
+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
+storage_getattr_fixed_disk_dev(openshift_domain)
+fs_get_xattr_fs_quotas(openshift_domain)
+fs_rw_inherited_tmpfs_files(openshift_domain)
+fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
+
+dontaudit openshift_domain file_type:dir read;
+files_dontaudit_list_home(openshift_domain)
+files_dontaudit_search_all_pids(openshift_domain)
+files_dontaudit_getattr_all_dirs(openshift_domain)
+files_dontaudit_getattr_all_files(openshift_domain)
+files_dontaudit_list_mnt(openshift_domain)
+files_dontaudit_list_var(openshift_domain)
+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
+files_dontaudit_search_all_mountpoints(openshift_domain)
+files_dontaudit_search_spool(openshift_domain)
+files_dontaudit_search_all_dirs(openshift_domain)
+files_exec_etc_files(openshift_domain)
+files_exec_usr_files(openshift_domain)
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
+files_dontaudit_setattr_non_security_files(openshift_domain)
+files_dontaudit_rw_inherited_locks(openshift_domain)
+
+libs_exec_lib_files(openshift_domain)
+libs_exec_ld_so(openshift_domain)
+
+selinux_validate_context(openshift_domain)
+
+logging_inherit_append_all_logs(openshift_domain)
+
+init_dontaudit_read_utmp(openshift_domain)
+
+miscfiles_read_fonts(openshift_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
+
+mta_dontaudit_read_spool_symlinks(openshift_domain)
+
+term_dontaudit_search_ptys(openshift_domain)
+term_use_generic_ptys(openshift_domain)
+term_dontaudit_getattr_generic_ptys(openshift_domain)
+term_use_ptmx(openshift_domain)
+
+userdom_use_inherited_user_ptys(openshift_domain)
+userdom_dontaudit_search_admin_dir(openshift_domain)
+
+application_exec(openshift_domain)
+
+optional_policy(`
+ apache_exec_modules(openshift_domain)
+ apache_list_modules(openshift_domain)
+ apache_read_config(openshift_domain)
+ apache_search_config(openshift_domain)
+ apache_read_sys_content(openshift_domain)
+ apache_exec_sys_script(openshift_domain)
+ apache_entrypoint(openshift_domain)
+ apache_dontaudit_read_log(openshift_domain)
+')
+
+optional_policy(`
+ #############################################
+ #
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+
+ optional_policy(`
+ dbus_system_bus_client(httpd_openshift_script_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(httpd_openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
+ ')
+ ')
+')
+
+optional_policy(`
+ cron_role(system_r, openshift_domain)
+')
+
+optional_policy(`
+ gpg_entry_type(openshift_domain)
+')
+
+optional_policy(`
+ mysql_search_db(openshift_domain)
+')
+
+optional_policy(`
+ screen_exec(openshift_domain)
+')
+
+optional_policy(`
+ ssh_use_ptys(openshift_domain)
+ ssh_getattr_user_home_dir(openshift_domain)
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
+')
+
+optional_policy(`
+ udev_read_pid_files(openshift_domain)
+')
+
+#######################################################
+#
+# Policy for openshift user domain process
+#
+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_user_domain openshift_domain:process transition;
+allow openshift_domain openshift_user_domain:fd use;
+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_user_domain:process sigchld;
+dontaudit openshift_domain openshift_user_domain:key view;
+dontaudit openshift_domain openshift_user_domain:process signull;
+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
+
+tunable_policy(`deny_ptrace',`',`
+ allow openshift_user_domain openshift_domain:process ptrace;
+')
+
+mta_signal_user_agent(openshift_user_domain)
+
+optional_policy(`
+ ssh_rw_tcp_sockets(openshift_user_domain)
+')
+
+############################################################################
+#
+# Rules specific to openshift_net_domains
+#
+allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
+allow openshift_net_domain openshift_port_t:udp_socket name_bind;
+
+corenet_tcp_connect_mssql_port(openshift_net_domain)
+corenet_tcp_connect_mysqld_port(openshift_net_domain)
+corenet_tcp_connect_postgresql_port(openshift_net_domain)
+corenet_tcp_connect_git_port(openshift_net_domain)
+corenet_tcp_connect_oracle_port(openshift_net_domain)
+corenet_tcp_connect_flash_port(openshift_net_domain)
+corenet_tcp_connect_http_port(openshift_net_domain)
+corenet_tcp_connect_ftp_port(openshift_net_domain)
+#/* These ports are the ephemeral ports needed for ftp */
+corenet_tcp_connect_virt_migration_port(openshift_net_domain)
+corenet_tcp_connect_ssh_port(openshift_net_domain)
+corenet_tcp_connect_jacorb_port(openshift_net_domain)
+corenet_tcp_connect_jboss_management_port(openshift_net_domain)
+corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
+corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_connect_memcache_port(openshift_net_domain)
+corenet_tcp_connect_http_cache_port(openshift_net_domain)
+corenet_tcp_connect_amqp_port(openshift_net_domain)
+corenet_tcp_connect_generic_port(openshift_net_domain)
+corenet_tcp_connect_mongod_port(openshift_net_domain)
+corenet_tcp_connect_munin_port(openshift_net_domain)
+corenet_tcp_connect_pop_port(openshift_net_domain)
+corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
+corenet_tcp_connect_smtp_port(openshift_net_domain)
+corenet_tcp_connect_whois_port(openshift_net_domain)
+corenet_udp_bind_generic_port(openshift_net_domain)
+corenet_tcp_bind_http_cache_port(openshift_domain)
+corenet_tcp_bind_jacorb_port(openshift_net_domain)
+corenet_tcp_bind_jboss_management_port(openshift_net_domain)
+corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
+corenet_tcp_bind_mongod_port(openshift_net_domain)
+corenet_tcp_bind_mysqld_port(openshift_domain)
+corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
+corenet_tcp_bind_postgresql_port(openshift_net_domain)
+
+############################################################################
+#
+# Rules specific to openshift and openshift_app_t
+#
+kernel_read_vm_sysctls(openshift_t)
+kernel_read_vm_sysctls(openshift_app_t)
+kernel_search_vm_sysctl(openshift_t)
+kernel_search_vm_sysctl(openshift_app_t)
+netutils_domtrans_ping(openshift_t)
+netutils_kill_ping(openshift_t)
+netutils_signal_ping(openshift_t)
+
+openshift_net_type(openshift_app_t)
+openshift_net_type(openshift_t)
+
+optional_policy(`
+ postfix_rw_public_pipes(openshift_t)
+ postfix_manage_spool_maildrop_files(openshift_t)
+')
+
+########################################
+#
+# openshift_cgroup_read local policy
+#
+
+allow openshift_cgroup_read_t self:process { getattr signal_perms };
+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
+
+kernel_read_system_state(openshift_cgroup_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
+
+auth_read_passwd(openshift_cgroup_read_t)
+
+miscfiles_read_localization(openshift_cgroup_read_t)
+
+optional_policy(`
+ ssh_use_ptys(openshift_cgroup_read_t)
+')
+
+corecmd_exec_bin(openshift_cgroup_read_t)
+corecmd_exec_shell(openshift_cgroup_read_t)
+
+dev_read_urand(openshift_cgroup_read_t)
+
+domain_use_interactive_fds(openshift_cgroup_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
+
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
+
+miscfiles_read_generic_certs(openshift_cgroup_read_t)
+
+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
+role system_r types openshift_cgroup_read_t;
+
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
+
+fs_list_cgroup_dirs(openshift_cgroup_read_t)
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_cron local policy
+#
+allow openshift_cron_t self:capability { dac_override net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
+
+openshift_manage_lib_dirs(openshift_cron_t)
+openshift_manage_lib_files(openshift_cron_t)
+
+kernel_search_network_sysctl(openshift_cron_t)
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
+dev_read_raw_memory(openshift_cron_t)
+dev_read_urand(openshift_cron_t)
+
+corenet_udp_bind_generic_node(openshift_cron_t)
+corenet_udp_bind_generic_port(openshift_cron_t)
+
+dev_getattr_fs(openshift_cron_t)
+dev_list_sysfs(openshift_cron_t)
+dev_read_sysfs(openshift_cron_t)
+
+files_getattr_home_dir(openshift_cron_t)
+files_manage_etc_files(openshift_cron_t)
+
+fs_getattr_tmpfs_dirs(openshift_cron_t)
+fs_getattr_all_fs(openshift_cron_t)
+fs_list_hugetlbfs(openshift_cron_t)
+fs_search_cgroup_dirs(openshift_cron_t)
+
+seutil_domtrans_setfiles(openshift_cron_t)
+
+term_getattr_pty_fs(openshift_cron_t)
+term_search_ptys(openshift_cron_t)
+
+auth_use_nsswitch(openshift_cron_t)
+
+miscfiles_read_generic_certs(openshift_cron_t)
+miscfiles_read_hwdata(openshift_cron_t)
+
+sysnet_exec_ifconfig(openshift_cron_t)
+sysnet_read_config(openshift_cron_t)
+
+optional_policy(`
+ dmidecode_exec(openshift_cron_t)
+')
+
+optional_policy(`
+ hostname_exec(openshift_cron_t)
+')
+
+optional_policy(`
+ quota_read_db(openshift_cron_t)
+')
+
+optional_policy(`
+ ssh_domtrans_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
diff --git a/opensm.fc b/opensm.fc
new file mode 100644
index 0000000..51650fa
--- /dev/null
+++ b/opensm.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0)
+
+/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
index 0000000..776fda7
--- /dev/null
+++ b/opensm.if
@@ -0,0 +1,223 @@
+
+## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB
+
+########################################
+##
+## Execute opensm in the opensm domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opensm_domtrans',`
+ gen_require(`
+ type opensm_t, opensm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+##
+## Search opensm cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_search_cache',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ allow $1 opensm_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read opensm cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_read_cache_files',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## opensm cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_manage_cache_files',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+##
+## Manage opensm cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_manage_cache_dirs',`
+ gen_require(`
+ type opensm_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+##
+## Read opensm's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_read_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+##
+## Append to opensm log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_append_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+##
+## Manage opensm log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`opensm_manage_log',`
+ gen_require(`
+ type opensm_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
+ manage_files_pattern($1, opensm_log_t, opensm_log_t)
+ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+########################################
+##
+## Execute opensm server in the opensm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opensm_systemctl',`
+ gen_require(`
+ type opensm_t;
+ type opensm_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, opensm_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an opensm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`opensm_admin',`
+ gen_require(`
+ type opensm_t;
+ type opensm_cache_t;
+ type opensm_log_t;
+ type opensm_unit_file_t;
+ ')
+
+ allow $1 opensm_t:process { signal_perms };
+ ps_process_pattern($1, opensm_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 opensm_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, opensm_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, opensm_log_t)
+
+ opensm_systemctl($1)
+ admin_pattern($1, opensm_unit_file_t)
+ allow $1 opensm_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
index 0000000..a055461
--- /dev/null
+++ b/opensm.te
@@ -0,0 +1,44 @@
+policy_module(opensm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+type opensm_unit_file_t;
+systemd_unit_file(opensm_unit_file_t)
+
+########################################
+#
+# opensm local policy
+#
+allow opensm_t self:process { signal fork };
+allow opensm_t self:fifo_file rw_fifo_file_perms;
+allow opensm_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
+
+manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file )
+
+kernel_read_system_state(opensm_t)
+
+auth_read_passwd(opensm_t)
+
+corecmd_exec_bin(opensm_t)
+
+dev_read_sysfs(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
index 300213f..4cdfe09 100644
--- a/openvpn.fc
+++ b/openvpn.fc
@@ -1,10 +1,13 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0)
+
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
diff --git a/openvpn.if b/openvpn.if
index 6837e9a..21e6dae 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
########################################
##
## Execute openvpn clients in the
+## caller domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openvpn_exec',`
+ gen_require(`
+ type openvpn_exec_t;
+ ')
+
+ can_exec($1, openvpn_exec_t)
+')
+
+########################################
+##
+## Execute openvpn clients in the
## openvpn domain, and allow the
## specified role the openvpn domain.
##
@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')
- allow $1 openvpn_t:process { ptrace signal_perms };
+ allow $1 openvpn_t:process signal_perms;
ps_process_pattern($1, openvpn_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openvpn_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
index 63957a3..0e675ab 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
#
##
+##
+## Allow openvpn to run unconfined scripts
+##
+##
+gen_tunable(openvpn_run_unconfined, false)
+
+##
##
## Determine whether openvpn can
## read generic user home content files.
@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
type openvpn_status_t;
logging_log_file(openvpn_status_t)
+type openvpn_var_lib_t;
+files_type(openvpn_var_lib_t)
+
type openvpn_tmp_t;
files_tmp_file(openvpn_tmp_t)
@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
@@ -73,13 +83,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
allow openvpn_t openvpn_tmp_t:file manage_file_perms;
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
@@ -97,7 +111,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-corenet_all_recvfrom_unlabeled(openvpn_t)
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
@@ -117,13 +130,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
+corenet_tcp_connect_squid_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
-
corenet_sendrecv_http_cache_client_packets(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_tcp_sendrecv_http_cache_port(openvpn_t)
+corenet_tcp_connect_tor_port(openvpn_t)
+
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
@@ -135,18 +150,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
-miscfiles_read_localization(openvpn_t)
+logging_send_syslog_msg(openvpn_t)
+
miscfiles_read_all_certs(openvpn_t)
+sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
sysnet_use_ldap(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
+userdom_read_inherited_user_tmp_files(openvpn_t)
+userdom_read_inherited_user_home_content_files(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
+ userdom_search_user_home_dirs(openvpn_t)
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -164,6 +185,10 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
+ brctl_domtrans(openvpn_t)
+')
+
+optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
@@ -175,3 +200,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
+
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+
+type openvpn_unconfined_script_t;
+type openvpn_unconfined_script_exec_t;
+domain_type(openvpn_unconfined_script_t)
+domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t)
+corecmd_shell_entry_type(openvpn_unconfined_script_t)
+role system_r types openvpn_unconfined_script_t;
+
+allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms;
+allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
+ unconfined_domain(openvpn_unconfined_script_t)
+')
+
+tunable_policy(`openvpn_run_unconfined',`
+ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t)
+',`
+ can_exec(openvpn_t, openvpn_unconfined_script_exec_t)
+')
diff --git a/openvswitch.fc b/openvswitch.fc
index 45d7cc5..c5b9607 100644
--- a/openvswitch.fc
+++ b/openvswitch.fc
@@ -1,12 +1,16 @@
-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0)
+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
index 9b15730..eedd136 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
-## Multilayer virtual switch.
+
+## policy for openvswitch
########################################
##
-## Execute openvswitch in the openvswitch domain.
+## Execute TEMPLATE in the openvswitch domin.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`openvswitch_domtrans',`
@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
')
+########################################
+##
+## Read openvswitch's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openvswitch_read_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+##
+## Append to openvswitch log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_append_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
########################################
##
-## Read openvswitch pid files.
+## Manage openvswitch log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_manage_log',`
+ gen_require(`
+ type openvswitch_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
+ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+##
+## Search openvswitch lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_search_lib',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read openvswitch lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_read_lib_files',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+##
+## Manage openvswitch lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_manage_lib_files',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+##
+## Manage openvswitch lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvswitch_manage_lib_dirs',`
+ gen_require(`
+ type openvswitch_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+##
+## Read openvswitch PID files.
##
##
##
@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an openvswitch environment.
+## Allow stream connect to openvswitch.
##
##
##
## Domain allowed access.
##
##
-##
+#
+
+interface(`openvswitch_stream_connect',`
+ gen_require(`
+ type openvswitch_t, openvswitch_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
+')
+
+########################################
+##
+## Execute openvswitch server in the openvswitch domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openvswitch_systemctl',`
+ gen_require(`
+ type openvswitch_t;
+ type openvswitch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, openvswitch_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openvswitch environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
##
#
interface(`openvswitch_admin',`
gen_require(`
- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t;
- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t;
+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
')
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_rw_t)
- files_search_etc($1)
- admin_pattern($1, openvswitch_conf_t)
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_log_t)
files_search_var_lib($1)
admin_pattern($1, openvswitch_var_lib_t)
- logging_search_logs($1)
- admin_pattern($1, openvswitch_log_t)
-
files_search_pids($1)
admin_pattern($1, openvswitch_var_run_t)
+
+ openvswitch_systemctl($1)
+ admin_pattern($1, openvswitch_unit_file_t)
+ allow $1 openvswitch_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
index 44dbc99..128ff1f 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
type openvswitch_exec_t;
init_daemon_domain(openvswitch_t, openvswitch_exec_t)
-type openvswitch_initrc_exec_t;
-init_script_file(openvswitch_initrc_exec_t)
-
-type openvswitch_conf_t;
-files_config_file(openvswitch_conf_t)
+type openvswitch_rw_t;
+files_config_file(openvswitch_rw_t)
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
@@ -27,20 +24,27 @@ files_tmp_file(openvswitch_tmp_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
+type openvswitch_unit_file_t;
+systemd_unit_file(openvswitch_unit_file_t)
+
########################################
#
-# Local policy
+# openvswitch local policy
#
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
+allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+
+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
@@ -48,9 +52,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
@@ -65,33 +67,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-can_exec(openvswitch_t, openvswitch_exec_t)
-
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
-
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
+kernel_request_load_module(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
+dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
+dev_read_sysfs(openvswitch_t)
domain_use_interactive_fds(openvswitch_t)
-files_read_etc_files(openvswitch_t)
+files_read_kernel_modules(openvswitch_t)
fs_getattr_all_fs(openvswitch_t)
fs_search_cgroup_dirs(openvswitch_t)
+auth_read_passwd(openvswitch_t)
+
logging_send_syslog_msg(openvswitch_t)
-miscfiles_read_localization(openvswitch_t)
+modutils_exec_insmod(openvswitch_t)
+modutils_list_module_config(openvswitch_t)
+modutils_read_module_config(openvswitch_t)
sysnet_dns_name_resolve(openvswitch_t)
optional_policy(`
iptables_domtrans(openvswitch_t)
')
+
+optional_policy(`
+ plymouthd_exec_plymouth(openvswitch_t)
+')
diff --git a/openwsman.fc b/openwsman.fc
new file mode 100644
index 0000000..00d0643
--- /dev/null
+++ b/openwsman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0)
+
+/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0)
+
+/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0)
+
+/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
index 0000000..42ed4ba
--- /dev/null
+++ b/openwsman.if
@@ -0,0 +1,78 @@
+## WS-Management Server
+
+########################################
+##
+## Execute openwsman in the openwsman domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openwsman_domtrans',`
+ gen_require(`
+ type openwsman_t, openwsman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openwsman_exec_t, openwsman_t)
+')
+########################################
+##
+## Execute openwsman server in the openwsman domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openwsman_systemctl',`
+ gen_require(`
+ type openwsman_t;
+ type openwsman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 openwsman_unit_file_t:file read_file_perms;
+ allow $1 openwsman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, openwsman_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an openwsman environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openwsman_admin',`
+ gen_require(`
+ type openwsman_t;
+ type openwsman_unit_file_t;
+ ')
+
+ allow $1 openwsman_t:process { signal_perms };
+ ps_process_pattern($1, openwsman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openwsman_t:process ptrace;
+ ')
+
+ openwsman_systemctl($1)
+ admin_pattern($1, openwsman_unit_file_t)
+ allow $1 openwsman_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
index 0000000..49dc5ef
--- /dev/null
+++ b/openwsman.te
@@ -0,0 +1,43 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openwsman_t;
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
+type openwsman_run_t;
+files_pid_file(openwsman_run_t)
+
+type openwsman_unit_file_t;
+systemd_unit_file(openwsman_unit_file_t)
+
+########################################
+#
+# openwsman local policy
+#
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { create_socket_perms listen };
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
+manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+
+corenet_tcp_bind_vnc_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 0000000..80fb8c3
--- /dev/null
+++ b/oracleasm.fc
@@ -0,0 +1,4 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
diff --git a/oracleasm.if b/oracleasm.if
new file mode 100644
index 0000000..6ae382c
--- /dev/null
+++ b/oracleasm.if
@@ -0,0 +1,75 @@
+
+## policy for oracleasm
+
+########################################
+##
+## Transition to oracleasm.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`oracleasm_domtrans',`
+ gen_require(`
+ type oracleasm_t, oracleasm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
+')
+
+
+########################################
+##
+## Execute oracleasm server in the oracleasm domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oracleasm_initrc_domtrans',`
+ gen_require(`
+ type oracleasm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an oracleasm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`oracleasm_admin',`
+ gen_require(`
+ type oracleasm_t;
+ type oracleasm_initrc_exec_t;
+ ')
+
+ allow $1 oracleasm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, oracleasm_t)
+
+ oracleasm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 oracleasm_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
index 0000000..0493b99
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,34 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oracleasm_t;
+type oracleasm_exec_t;
+init_daemon_domain(oracleasm_t, oracleasm_exec_t)
+
+type oracleasm_initrc_exec_t;
+init_script_file(oracleasm_initrc_exec_t)
+
+########################################
+#
+# oracleasm local policy
+#
+
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(oracleasm_t)
+
+corecmd_exec_shell(oracleasm_t)
+corecmd_exec_bin(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(oracleasm_t)
+')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
+++ b/pacemaker.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
+
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
index 9682d9a..d47f913 100644
--- a/pacemaker.if
+++ b/pacemaker.if
@@ -1,9 +1,166 @@
-## A scalable high-availability cluster resource manager.
+## >A scalable high-availability cluster resource manager.
########################################
##
-## All of the rules required to
-## administrate an pacemaker environment.
+## Transition to pacemaker.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pacemaker_domtrans',`
+ gen_require(`
+ type pacemaker_t, pacemaker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
+')
+
+########################################
+##
+## Execute pacemaker server in the pacemaker domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_initrc_domtrans',`
+ gen_require(`
+ type pacemaker_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+')
+
+########################################
+##
+## Search pacemaker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_search_lib',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read pacemaker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_read_lib_files',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+##
+## Manage pacemaker lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_manage_lib_files',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+##
+## Manage pacemaker lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_manage_lib_dirs',`
+ gen_require(`
+ type pacemaker_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+##
+## Read pacemaker PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pacemaker_read_pid_files',`
+ gen_require(`
+ type pacemaker_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pacemaker_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute pacemaker server in the pacemaker domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pacemaker_systemctl',`
+ gen_require(`
+ type pacemaker_t;
+ type pacemaker_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pacemaker_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an pacemaker environment
##
##
##
@@ -19,14 +176,17 @@
#
interface(`pacemaker_admin',`
gen_require(`
- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
+ type pacemaker_t;
+ type pacemaker_initrc_exec_t;
+ type pacemaker_var_lib_t;
type pacemaker_var_run_t;
+ type pacemaker_unit_file_t;
')
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ pacemaker_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pacemaker_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +196,13 @@ interface(`pacemaker_admin',`
files_search_pids($1)
admin_pattern($1, pacemaker_var_run_t)
+
+ pacemaker_systemctl($1)
+ admin_pattern($1, pacemaker_unit_file_t)
+ allow $1 pacemaker_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
index 6e6efb6..3dc917d 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
# Declarations
#
+##
+##
+## Allow pacemaker memcheck-amd64- to use executable memory
+##
+##
+gen_tunable(pacemaker_use_execmem, false)
+
type pacemaker_t;
type pacemaker_exec_t;
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
type pacemaker_initrc_exec_t;
init_script_file(pacemaker_initrc_exec_t)
+type pacemaker_var_lib_t;
+files_type(pacemaker_var_lib_t)
+
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
type pacemaker_tmp_t;
files_tmp_file(pacemaker_tmp_t)
type pacemaker_tmpfs_t;
files_tmpfs_file(pacemaker_tmpfs_t)
-type pacemaker_var_lib_t;
-files_type(pacemaker_var_lib_t)
-
-type pacemaker_var_run_t;
-files_pid_file(pacemaker_var_run_t)
+type pacemaker_unit_file_t;
+systemd_unit_file(pacemaker_unit_file_t)
########################################
#
@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t)
#
allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability2 block_suspend;
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
+manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t)
corecmd_exec_bin(pacemaker_t)
corecmd_exec_shell(pacemaker_t)
+domain_use_interactive_fds(pacemaker_t)
+domain_read_all_domains_state(pacemaker_t)
+
dev_getattr_mtrr_dev(pacemaker_t)
dev_read_rand(pacemaker_t)
dev_read_urand(pacemaker_t)
-domain_read_all_domains_state(pacemaker_t)
-domain_use_interactive_fds(pacemaker_t)
-
files_read_kernel_symbol_table(pacemaker_t)
fs_getattr_all_fs(pacemaker_t)
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
logging_send_syslog_msg(pacemaker_t)
-miscfiles_read_localization(pacemaker_t)
+sysnet_domtrans_ifconfig(pacemaker_t)
+
+tunable_policy(`pacemaker_use_execmem',`
+ allow pacemaker_t self:process { execmem };
+')
optional_policy(`
corosync_read_log(pacemaker_t)
+ corosync_setattr_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
+')
+
+optional_policy(`
+ #executes heartbeat lib files
+ rgmanager_execute_lib(pacemaker_t)
')
diff --git a/pads.if b/pads.if
index 6e097c9..503c97a 100644
--- a/pads.if
+++ b/pads.if
@@ -17,15 +17,19 @@
##
##
#
-interface(`pads_admin', `
+interface(`pads_admin',`
gen_require(`
type pads_t, pads_config_t, pads_var_run_t;
type pads_initrc_exec_t;
')
- allow $1 pads_t:process { ptrace signal_perms };
+ allow $1 pads_t:process signal_perms;
ps_process_pattern($1, pads_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pads_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
index 078adc4..77513a4 100644
--- a/pads.te
+++ b/pads.te
@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
allow pads_t self:packet_socket create_socket_perms;
allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t)
corecmd_search_bin(pads_t)
-corenet_all_recvfrom_unlabeled(pads_t)
corenet_all_recvfrom_netlabel(pads_t)
corenet_tcp_sendrecv_generic_if(pads_t)
corenet_tcp_sendrecv_generic_node(pads_t)
@@ -52,11 +54,8 @@ dev_read_rand(pads_t)
dev_read_urand(pads_t)
dev_read_sysfs(pads_t)
-files_read_etc_files(pads_t)
files_search_spool(pads_t)
-miscfiles_read_localization(pads_t)
-
logging_send_syslog_msg(pads_t)
sysnet_dns_name_resolve(pads_t)
diff --git a/passenger.fc b/passenger.fc
index 2c389ea..9155bd0 100644
--- a/passenger.fc
+++ b/passenger.fc
@@ -1,10 +1,12 @@
-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
index bf59ef7..0ec51d4 100644
--- a/passenger.if
+++ b/passenger.if
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
type passenger_t, passenger_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, passenger_exec_t, passenger_t)
')
######################################
##
-## Execute passenger in the caller domain.
+## Execute passenger in the current domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
@@ -34,13 +33,30 @@ interface(`passenger_exec',`
type passenger_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, passenger_exec_t)
')
+#######################################
+##
+## Getattr passenger log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_getattr_log_files',`
+ gen_require(`
+ type passenger_log_t;
+ ')
+
+ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
+')
+
########################################
##
-## Read passenger lib files.
+## Read passenger lib files
##
##
##
@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
type passenger_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Manage passenger lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_manage_lib_files',`
+ gen_require(`
+ type passenger_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+')
+
+#####################################
+##
+## Manage passenger var_run content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_manage_pid_content',`
+ gen_require(`
+ type passenger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+##
+## Connect to passenger unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_stream_connect',`
+ gen_require(`
+ type passenger_t;
+ type passenger_tmp_t;
+ type passenger_var_run_t;
+ ')
+
+
+
+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
+')
+
+#######################################
+##
+## Allow to manage passenger tmp files/dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_manage_tmp_files',`
+ gen_require(`
+ type passenger_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
index 08ec33b..24ce7e8 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
type passenger_log_t;
logging_log_file(passenger_log_t)
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t)
########################################
#
-# Local policy
+# passanger local policy
#
allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:process { setpgid setsched sigkill signal signull };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket listen;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-logging_log_filetrans(passenger_t, passenger_log_t, file)
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+files_search_var_lib(passenger_t)
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
-can_exec(passenger_t, passenger_exec_t)
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
corenet_tcp_sendrecv_generic_if(passenger_t)
corenet_tcp_sendrecv_generic_node(passenger_t)
-
-corenet_sendrecv_http_client_packets(passenger_t)
corenet_tcp_connect_http_port(passenger_t)
-corenet_tcp_sendrecv_http_port(passenger_t)
+corenet_tcp_connect_postgresql_port(passenger_t)
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
-files_read_etc_files(passenger_t)
-
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
@@ -94,14 +98,21 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
+ mysql_stream_connect(passenger_t)
+ mysql_list_db(passenger_t)
+')
+
+optional_policy(`
+ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
- puppet_create_log_files(passenger_t)
- puppet_read_log_files(passenger_t)
+ puppet_append_log(passenger_t)
+ puppet_create_log(passenger_t)
+ puppet_read_log(passenger_t)
+ puppet_search_pid(passenger_t)
')
optional_policy(`
- rpm_exec(passenger_t)
- rpm_read_db(passenger_t)
+ rpm_exec(passenger_t)
+ rpm_read_db(passenger_t)
')
diff --git a/pcmcia.te b/pcmcia.te
index 8176e4a..2df1789 100644
--- a/pcmcia.te
+++ b/pcmcia.te
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
-miscfiles_read_localization(cardmgr_t)
-
modutils_domtrans_insmod(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t)
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
-userdom_use_user_terminals(cardmgr_t)
+userdom_use_inherited_user_terminals(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_user_home_dirs(cardmgr_t)
optional_policy(`
- seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
')
########################################
diff --git a/pcscd.te b/pcscd.te
index 1fb1964..f92c71a 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
allow pcscd_t self:capability { dac_override dac_read_search fsetid };
allow pcscd_t self:process signal;
allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
-allow pcscd_t self:tcp_socket { accept listen };
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
kernel_read_system_state(pcscd_t)
-corenet_all_recvfrom_unlabeled(pcscd_t)
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
dev_read_sysfs(pcscd_t)
-files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
-miscfiles_read_localization(pcscd_t)
-
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
@@ -85,3 +82,7 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
+
+optional_policy(`
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..4694942 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,29 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
+++ b/pegasus.if
@@ -1,52 +1,59 @@
## The Open Group Pegasus CIM/WBEM Server.
+######################################
+##
+## Creates types and rules for a basic
+## openlmi init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`pegasus_openlmi_domain_template',`
+ gen_require(`
+ attribute pegasus_openlmi_domain;
+ type pegasus_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
+ type pegasus_openlmi_$1_exec_t;
+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
+
+ kernel_read_system_state(pegasus_openlmi_$1_t)
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
+')
+
########################################
##
-## All of the rules required to
-## administrate an pegasus environment.
+## Connect to pegasus over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`pegasus_admin',`
+interface(`pegasus_stream_connect',`
gen_require(`
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
- type pegasus_mof_t, pegasus_var_run_t;
+ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
')
- allow $1 pegasus_t:process { ptrace signal_perms };
- ps_process_pattern($1, pegasus_t)
-
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, pegasus_conf_t)
-
- files_search_usr($1)
- admin_pattern($1, pegasus_mof_t)
-
- files_search_tmp($1)
- admin_pattern($1, pegasus_tmp_t)
-
- files_search_var($1)
- admin_pattern($1, pegasus_cache_t)
-
- files_search_var_lib($1)
- admin_pattern($1, pegasus_data_t)
-
files_search_pids($1)
- admin_pattern($1, pegasus_var_run_t)
+ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
+ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454..938df5d 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
# Declarations
#
+attribute pegasus_openlmi_domain;
+
type pegasus_t;
type pegasus_exec_t;
init_daemon_domain(pegasus_t, pegasus_exec_t)
-type pegasus_initrc_exec_t;
-init_script_file(pegasus_initrc_exec_t)
-
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,288 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
+typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
+
+pegasus_openlmi_domain_template(account)
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
+domain_system_change_exemption(pegasus_openlmi_account_t)
+
+pegasus_openlmi_domain_template(logicalfile)
+pegasus_openlmi_domain_template(services)
+
+pegasus_openlmi_domain_template(storage)
+type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
+
+type pegasus_openlmi_storage_lib_t;
+files_type(pegasus_openlmi_storage_lib_t)
+
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
+#
+# pegasus openlmi providers local policy
+#
+
+allow pegasus_openlmi_domain self:capability { setuid setgid };
+
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
+
+dev_read_sysfs(pegasus_openlmi_domain)
+
+auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
+optional_policy(`
+ pegasus_stream_connect(pegasus_openlmi_domain)
+')
+
+######################################
+#
+# pegasus openlmi account local policy
+#
+
+allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
+auth_manage_shadow(pegasus_openlmi_account_t)
+auth_relabel_shadow(pegasus_openlmi_account_t)
+auth_read_login_records(pegasus_openlmi_account_t)
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
+
+logging_send_audit_msgs(pegasus_openlmi_account_t)
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+init_rw_utmp(pegasus_openlmi_account_t)
+
+seutil_semanage_policy(pegasus_openlmi_account_t)
+
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+seutil_read_config(pegasus_openlmi_account_t)
+seutil_read_file_contexts(pegasus_openlmi_account_t)
+seutil_read_default_contexts(pegasus_openlmi_account_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
+
+optional_policy(`
+ # run userdel
+ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
+')
+
+######################################
+#
+# pegasus openlmi logicalfile local policy
+#
+
+allow pegasus_openlmi_logicalfile_t self:capability { dac_override };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
+dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t)
+dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t)
+
+files_list_all(pegasus_openlmi_logicalfile_t)
+files_read_all_files(pegasus_openlmi_logicalfile_t)
+files_read_all_symlinks(pegasus_openlmi_logicalfile_t)
+files_read_all_blk_files(pegasus_openlmi_logicalfile_t)
+files_read_all_chr_files(pegasus_openlmi_logicalfile_t)
+files_getattr_all_pipes(pegasus_openlmi_logicalfile_t)
+files_getattr_all_sockets(pegasus_openlmi_logicalfile_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t)
+
+optional_policy(`
+ # it can delete/create empty dirs
+ # so we want to have unconfined_domain attribute for filename rules
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
+')
+
+######################################
+#
+# pegasus openlmi services local policy
+#
+
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_services_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ realmd_dbus_chat(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ sssd_stream_connect(pegasus_openlmi_services_t)
+')
+
+######################################
+#
+# pegasus openlmi system (networking) local policy
+#
+
+allow pegasus_openlmi_system_t self:capability { net_admin };
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_system_t)
+
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_system_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(pegasus_openlmi_system_t)
+')
+
+######################################
+#
+# pegasus openlmi service local policy
+#
+
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+
+systemd_config_all_services(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
+
+ optional_policy(`
+ init_dbus_chat(pegasus_openlmi_admin_t)
+ ')
+')
+
+optional_policy(`
+ sssd_search_lib(pegasus_openlmi_admin_t)
+')
+
+######################################
+#
+# pegasus openlmi storage local policy
+#
+
+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
+allow pegasus_openlmi_storage_t self:process setrlimit;
+
+allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file)
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
+
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
+
+dev_rw_lvm_control(pegasus_openlmi_storage_t)
+dev_rw_sysfs(pegasus_openlmi_storage_t)
+
+selinux_validate_context(pegasus_openlmi_storage_t)
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
+files_read_kernel_modules(pegasus_openlmi_storage_t)
+
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
+
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
+optional_policy(`
+ dmidecode_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ fstools_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ iscsi_manage_lock(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ mount_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(pegasus_openlmi_storage_t)
+ raid_filetrans_named_content(pegasus_openlmi_storage_t)
+ raid_manage_conf_files(pegasus_openlmi_storage_t)
+')
+
+######################################
+#
+# pegasus openlmi unconfined local policy
+#
+
+optional_policy(`
+ unconfined_domain(pegasus_openlmi_unconfined_t)
+')
+
########################################
#
-# Local policy
+# pegasus local policy
#
allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
+allow pegasus_t self:process { setsched signal };
allow pegasus_t self:fifo_file rw_fifo_file_perms;
-allow pegasus_t self:unix_stream_socket { connectto accept listen };
-allow pegasus_t self:tcp_socket { accept listen };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file })
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
allow pegasus_t pegasus_mof_t:dir list_dir_perms;
-allow pegasus_t pegasus_mof_t:file read_file_perms;
-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file })
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file })
-
-can_exec(pegasus_t, pegasus_exec_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
-corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
corenet_tcp_sendrecv_all_ports(pegasus_t)
corenet_tcp_bind_generic_node(pegasus_t)
-
-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
corenet_tcp_bind_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corenet_tcp_bind_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
corenet_tcp_connect_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
corenet_tcp_connect_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_generic_client_packets(pegasus_t)
corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
+domain_named_filetrans(pegasus_t)
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
+mount_domtrans(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
- dbus_system_bus_client(pegasus_t)
- dbus_connect_system_bus(pegasus_t)
+ dmidecode_domtrans(pegasus_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
@@ -151,16 +425,24 @@ optional_policy(`
')
optional_policy(`
- rpm_exec(pegasus_t)
+ ricci_stream_connect_modclusterd(pegasus_t)
')
optional_policy(`
- samba_manage_config(pegasus_t)
+ realmd_dbus_chat(pegasus_t)
')
optional_policy(`
- seutil_sigchld_newrole(pegasus_t)
- seutil_dontaudit_read_config(pegasus_t)
+ rpc_read_exports(pegasus_t)
+ rpc_read_nfs_state_data(pegasus_t)
+')
+
+optional_policy(`
+ rpm_domtrans(pegasus_t)
+')
+
+optional_policy(`
+ samba_manage_config(pegasus_t)
')
optional_policy(`
@@ -168,7 +450,7 @@ optional_policy(`
')
optional_policy(`
- sysnet_domtrans_ifconfig(pegasus_t)
+ seutil_sigchld_newrole(pegasus_t)
')
optional_policy(`
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
--- /dev/null
+++ b/pesign.fc
@@ -0,0 +1,6 @@
+/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0)
+
+/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0)
+
+/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0)
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
index 0000000..abd5dd8
--- /dev/null
+++ b/pesign.if
@@ -0,0 +1,98 @@
+
+## pesign utility for signing UEFI binaries as well as other associated tools
+
+########################################
+##
+## Execute TEMPLATE in the pesign domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pesign_domtrans',`
+ gen_require(`
+ type pesign_t, pesign_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pesign_exec_t, pesign_t)
+')
+########################################
+##
+## Read pesign PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pesign_read_pid_files',`
+ gen_require(`
+ type pesign_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
+')
+
+########################################
+##
+## Execute pesign server in the pesign domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pesign_systemctl',`
+ gen_require(`
+ type pesign_t;
+ type pesign_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pesign_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an pesign environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`pesign_admin',`
+ gen_require(`
+ type pesign_t;
+ type pesign_var_run_t;
+ type pesign_unit_file_t;
+ ')
+
+ allow $1 pesign_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pesign_t)
+
+ files_search_pids($1)
+ admin_pattern($1, pesign_var_run_t)
+
+ pesign_systemctl($1)
+ admin_pattern($1, pesign_unit_file_t)
+ allow $1 pesign_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/pesign.te b/pesign.te
new file mode 100644
index 0000000..513887d
--- /dev/null
+++ b/pesign.te
@@ -0,0 +1,43 @@
+policy_module(pesign, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pesign_t;
+type pesign_exec_t;
+init_daemon_domain(pesign_t, pesign_exec_t)
+
+type pesign_var_run_t;
+files_pid_file(pesign_var_run_t)
+
+type pesign_unit_file_t;
+systemd_unit_file(pesign_unit_file_t)
+
+########################################
+#
+# pesign local policy
+#
+
+allow pesign_t self:capability { setgid setuid };
+allow pesign_t self:process setsched;
+allow pesign_t self:fifo_file rw_fifo_file_perms;
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
+
+dev_read_urand(pesign_t)
+
+files_dontaudit_list_tmp(pesign_t)
+
+auth_use_nsswitch(pesign_t)
+
+logging_send_syslog_msg(pesign_t)
+
+miscfiles_read_certs(pesign_t)
+miscfiles_read_localization(pesign_t)
diff --git a/pingd.if b/pingd.if
index 21a6ecb..b99e4cb 100644
--- a/pingd.if
+++ b/pingd.if
@@ -55,7 +55,8 @@ interface(`pingd_manage_config',`
')
files_search_etc($1)
- allow $1 pingd_etc_t:file manage_file_perms;
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
')
#######################################
@@ -81,9 +82,13 @@ interface(`pingd_admin',`
type pingd_initrc_exec_t;
')
- allow $1 pingd_t:process { ptrace signal_perms };
+ allow $1 pingd_t:process signal_perms;
ps_process_pattern($1, pingd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pingd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
index ab01060..3817823 100644
--- a/pingd.te
+++ b/pingd.te
@@ -10,7 +10,7 @@ type pingd_exec_t;
init_daemon_domain(pingd_t, pingd_exec_t)
type pingd_etc_t;
-files_type(pingd_etc_t)
+files_config_file(pingd_etc_t)
type pingd_initrc_exec_t;
init_script_file(pingd_initrc_exec_t)
@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t)
files_search_usr(pingd_t)
logging_send_syslog_msg(pingd_t)
-
-miscfiles_read_localization(pingd_t)
diff --git a/piranha.fc b/piranha.fc
new file mode 100644
index 0000000..20ea9f5
--- /dev/null
+++ b/piranha.fc
@@ -0,0 +1,24 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
index 0000000..cf54103
--- /dev/null
+++ b/piranha.if
@@ -0,0 +1,187 @@
+## policy for piranha
+
+#######################################
+##
+## Creates types and rules for a basic
+## cluster init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`piranha_domain_template',`
+ gen_require(`
+ attribute piranha_domain;
+ ')
+
+ ##############################
+ #
+ # piranha_$1_t declarations
+ #
+
+ type piranha_$1_t, piranha_domain;
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+ # tmpfs files
+ type piranha_$1_tmpfs_t, piranha_tmpfs;
+ files_tmpfs_file(piranha_$1_tmpfs_t)
+
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
+
+ ##############################
+ #
+ # piranha_$1_t local policy
+ #
+
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
+
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+
+ kernel_read_system_state(piranha_$1_t)
+
+ auth_use_nsswitch(piranha_$1_t)
+
+ logging_send_syslog_msg(piranha_$1_t)
+')
+
+########################################
+##
+## Execute a domain transition to run fos.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_domtrans_fos',`
+ gen_require(`
+ type piranha_fos_t, piranha_fos_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+##
+## Execute a domain transition to run lvsd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_domtrans_lvs',`
+ gen_require(`
+ type piranha_lvs_t, piranha_lvs_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+##
+## Execute a domain transition to run pulse.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_domtrans_pulse',`
+ gen_require(`
+ type piranha_pulse_t, piranha_pulse_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+##
+## Execute pulse server in the pulse domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`piranha_pulse_initrc_domtrans',`
+ gen_require(`
+ type piranha_pulse_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+##
+## Allow the specified domain to read piranha's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`piranha_read_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## piranha log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`piranha_append_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+##
+## Allow domain to manage piranha log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`piranha_manage_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
index 0000000..a989aea
--- /dev/null
+++ b/piranha.te
@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow piranha-lvs domain to connect to the network using TCP.
+##
+##
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_config_file(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+optional_policy(`
+ consoletype_exec(piranha_fos_t)
+')
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull };
+
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_servistaitsm_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_rand(piranha_web_t)
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+
+optional_policy(`
+ consoletype_exec(piranha_web_t)
+')
+
+optional_policy(`
+ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+allow piranha_lvs_t self:process signal;
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+ corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+ iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:capability net_admin;
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+kernel_read_kernel_sysctls(piranha_pulse_t)
+kernel_read_rpc_sysctls(piranha_pulse_t)
+kernel_rw_rpc_sysctls(piranha_pulse_t)
+kernel_search_debugfs(piranha_pulse_t)
+kernel_search_network_state(piranha_pulse_t)
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
+optional_policy(`
+ consoletype_exec(piranha_pulse_t)
+')
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
+
+domain_read_all_domains_state(piranha_pulse_t)
+domain_getattr_all_domains(piranha_pulse_t)
+
+fs_getattr_all_fs(piranha_pulse_t)
+
+init_initrc_domain(piranha_pulse_t)
+
+logging_send_syslog_msg(piranha_pulse_t)
+
+# various services to failover
+
+optional_policy(`
+ apache_domtrans(piranha_pulse_t)
+ apache_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ ftp_domtrans(piranha_pulse_t)
+ ftp_initrc_domtrans(piranha_pulse_t)
+ ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
+ hostname_exec(piranha_pulse_t)
+')
+
+optional_policy(`
+ iptables_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(piranha_pulse_t)
+ mysql_stream_connect(piranha_pulse_t)
+')
+
+optional_policy(`
+ netutils_domtrans(piranha_pulse_t)
+ netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(piranha_pulse_t)
+ postgresql_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(piranha_pulse_t)
+ samba_systemctl(piranha_pulse_t)
+ samba_domtrans_smbd(piranha_pulse_t)
+ samba_domtrans_nmbd(piranha_pulse_t)
+ samba_manage_var_files(piranha_pulse_t)
+ samba_rw_config(piranha_pulse_t)
+ samba_signal_smbd(piranha_pulse_t)
+ samba_signal_nmbd(piranha_pulse_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+optional_policy(`
+ udev_read_db(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:process signal_perms;
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
+manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
+
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.te b/pkcs.te
index 8eb3f7b..7c08f64 100644
--- a/pkcs.te
+++ b/pkcs.te
@@ -7,21 +7,27 @@ policy_module(pkcs, 1.0.1)
type pkcs_slotd_t;
type pkcs_slotd_exec_t;
+typealias pkcs_slotd_t alias pkcsslotd_t;
+typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t;
init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
type pkcs_slotd_initrc_exec_t;
init_script_file(pkcs_slotd_initrc_exec_t)
type pkcs_slotd_var_lib_t;
+typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
files_type(pkcs_slotd_var_lib_t)
type pkcs_slotd_var_run_t;
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
files_pid_file(pkcs_slotd_var_run_t)
type pkcs_slotd_tmp_t;
+typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t;
files_tmp_file(pkcs_slotd_tmp_t)
type pkcs_slotd_tmpfs_t;
+typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t;
files_tmpfs_file(pkcs_slotd_tmpfs_t)
########################################
@@ -53,8 +59,5 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
-files_read_etc_files(pkcs_slotd_t)
-
logging_send_syslog_msg(pkcs_slotd_t)
-miscfiles_read_localization(pkcs_slotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000..726d992
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,56 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
+
+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
+
+# default labeling for nCipher
+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# old paths (for migration)
+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
+
+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
index 0000000..b975b85
--- /dev/null
+++ b/pki.if
@@ -0,0 +1,294 @@
+
+## policy for pki
+
+########################################
+##
+## Allow read and write pki cert files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_rw_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ type pki_tomcat_etc_rw_t;
+ ')
+
+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+##
+## Allow domain to read pki cert files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_read_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ ')
+
+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+##
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`pki_apache_template',`
+ gen_require(`
+ attribute pki_apache_domain;
+ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
+ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t, pki_apache_domain;
+ type $1_exec_t, pki_apache_executable;
+ domain_type($1_t)
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_script_exec_t, pki_apache_script;
+ init_script_file($1_script_exec_t)
+
+ type $1_etc_rw_t, pki_apache_config;
+ files_type($1_etc_rw_t)
+
+ type $1_var_run_t, pki_apache_var_run;
+ files_pid_file($1_var_run_t)
+
+ type $1_var_lib_t, pki_apache_var_lib;
+ files_type($1_var_lib_t)
+
+ type $1_log_t, pki_apache_var_log;
+ logging_log_file($1_log_t)
+
+ type $1_lock_t;
+ files_lock_file($1_lock_t)
+
+ type $1_tmp_t;
+ files_tmpfs_file($1_tmp_t)
+
+ ########################################
+ #
+ # $1 local policy
+ #
+
+ files_read_etc_files($1_t)
+ allow $1_t $1_etc_rw_t:lnk_file read;
+
+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
+ logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
+ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
+
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ #talk to lunasa hsm
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+
+ # need to resolve addresses?
+ auth_use_nsswitch($1_t)
+
+ #pki_apache_domain_signal(httpd_t)
+ #pki_apache_domain_signal(httpd_t)
+ #pki_manage_apache_run(httpd_t)
+ #pki_manage_apache_config_files(httpd_t)
+ #pki_manage_apache_log_files(httpd_t)
+ #pki_manage_apache_lib(httpd_t)
+')
+
+#######################################
+##
+## Send a null signal to pki apache domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_apache_domain_signal',`
+ gen_require(`
+ attribute pki_apache_domain;
+ ')
+
+ allow $1 pki_apache_domain:process signal;
+')
+
+#######################################
+##
+## Send a null signal to pki apache domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_apache_domain_signull',`
+ gen_require(`
+ attribute pki_apache_domain;
+ ')
+
+ allow $1 pki_apache_domain:process signull;
+')
+
+###################################
+##
+## Allow domain to read pki apache subsystem pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_run',`
+ gen_require(`
+ attribute pki_apache_var_run;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
+')
+
+####################################
+##
+## Allow domain to manage pki apache subsystem lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_lib',`
+ gen_require(`
+ attribute pki_apache_var_lib;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+')
+
+##################################
+##
+## Dontaudit domain to write pki log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_dontaudit_write_log',`
+ gen_require(`
+ type pki_log_t;
+ ')
+
+ dontaudit $1 pki_log_t:file write;
+')
+
+###################################
+##
+## Allow domain to manage pki apache subsystem log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_log_files',`
+ gen_require(`
+ attribute pki_apache_var_log;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
+')
+
+##################################
+##
+## Allow domain to manage pki apache subsystem config files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_manage_apache_config_files',`
+ gen_require(`
+ attribute pki_apache_config;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
+')
+
+#################################
+##
+## Allow domain to read pki tomcat lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pki_read_tomcat_lib_files',`
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
+
+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..17f5d18
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,284 @@
+policy_module(pki,10.0.11)
+
+########################################
+#
+# Declarations
+#
+
+attribute pki_apache_domain;
+attribute pki_apache_config;
+attribute pki_apache_executable;
+attribute pki_apache_var_lib;
+attribute pki_apache_var_log;
+attribute pki_apache_var_run;
+attribute pki_apache_pidfiles;
+attribute pki_apache_script;
+
+type pki_log_t;
+files_type(pki_log_t)
+
+type pki_common_t;
+files_type(pki_common_t)
+
+type pki_common_dev_t;
+files_type(pki_common_dev_t)
+
+type pki_tomcat_etc_rw_t;
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
+files_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+
+type pki_tomcat_unit_file_t;
+systemd_unit_file(pki_tomcat_unit_file_t)
+
+type pki_tomcat_lock_t;
+files_lock_file(pki_tomcat_lock_t)
+
+# old type aliases for migration
+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
+
+
+# pki policy types
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_apache_template(pki_tps)
+
+# ra policy types
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_apache_template(pki_ra)
+
+# needed for dogtag 9 style instances
+type pki_tomcat_script_t;
+domain_type(pki_tomcat_script_t)
+role system_r types pki_tomcat_script_t;
+
+optional_policy(`
+ unconfined_domain(pki_tomcat_script_t)
+')
+
+########################################
+#
+# pki-tomcat local policy
+#
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
+allow pki_tomcat_t self:process { signal setsched signull execmem };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+allow pki_tomcat_t self:tcp_socket { accept listen };
+
+# allow writing to the kernel keyring
+allow pki_tomcat_t self:key { write read };
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
+
+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
+systemd_search_unit_dirs(pki_tomcat_t)
+
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
+allow pki_tomcat_t pki_common_dev_t:dir search;
+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
+logging_send_audit_msgs(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
+
+# is this really needed?
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
+
+# forward proxy
+# need to define ports to fix this
+#corenet_tcp_connect_pki_tomcat_port(httpd_t)
+
+# for crl publishing
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+
+# for ECC
+auth_getattr_shadow(pki_tomcat_t)
+
+optional_policy(`
+ consoletype_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+ dirsrv_manage_var_lib(pki_tomcat_t)
+')
+
+optional_policy(`
+ hostname_exec(pki_tomcat_t)
+')
+
+#######################################
+#
+# tps local policy
+#
+
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
+
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
+# customer may run an ldap server on 389
+corenet_tcp_connect_ldap_port(pki_tps_t)
+# connect to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+files_exec_usr_files(pki_tps_t)
+
+# why do I need to add this?
+#allow httpd_t httpd_config_t:file execute;
+
+######################################
+#
+# ra local policy
+#
+
+# RA specific? talking to mysql?
+allow pki_ra_t self:udp_socket { write read create connect };
+allow pki_ra_t self:unix_dgram_socket { write create connect };
+
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+# talk to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+corenet_tcp_connect_smtp_port(pki_ra_t)
+
+fs_getattr_xattr_fs(pki_ra_t)
+
+files_search_spool(pki_ra_t)
+files_exec_usr_files(pki_ra_t)
+
+optional_policy(`
+ mta_send_mail(pki_ra_t)
+ mta_manage_spool(pki_ra_t)
+ mta_manage_queue(pki_ra_t)
+ mta_read_config(pki_ra_t)
+')
+
+#####################################
+#
+# pki_apache_domain local policy
+#
+
+
+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
+
+allow pki_apache_domain self:sem all_sem_perms;
+allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+# allow writing to the kernel keyring
+allow pki_apache_domain self:key { write read };
+
+## internal communication is often done using fifo and unix sockets.
+allow pki_apache_domain self:fifo_file rw_file_perms;
+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
+
+# talk to the hsm
+allow pki_apache_domain pki_common_dev_t:sock_file write;
+allow pki_apache_domain pki_common_dev_t:dir search;
+allow pki_apache_domain pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
+can_exec(pki_apache_domain, pki_common_t)
+init_stream_connect_script(pki_apache_domain)
+
+corenet_sendrecv_unlabeled_packets(pki_apache_domain)
+corenet_tcp_bind_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_if(pki_apache_domain)
+corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_ports(pki_apache_domain)
+#corenet_all_recvfrom_unlabeled(pki_apache_domain)
+corenet_tcp_connect_generic_port(pki_apache_domain)
+
+# Init script handling
+domain_use_interactive_fds(pki_apache_domain)
+
+seutil_exec_setfiles(pki_apache_domain)
+
+init_dontaudit_write_utmp(pki_apache_domain)
+
+libs_use_ld_so(pki_apache_domain)
+libs_use_shared_libs(pki_apache_domain)
+libs_exec_ld_so(pki_apache_domain)
+libs_exec_lib_files(pki_apache_domain)
+
+fs_search_cgroup_dirs(pki_apache_domain)
+
+corecmd_exec_bin(pki_apache_domain)
+corecmd_exec_shell(pki_apache_domain)
+
+dev_read_urand(pki_apache_domain)
+dev_read_rand(pki_apache_domain)
+
+# shutdown script uses ps
+domain_dontaudit_read_all_domains_state(pki_apache_domain)
+ps_process_pattern(pki_apache_domain, pki_apache_domain)
+
+sysnet_read_config(pki_apache_domain)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
+ term_dontaudit_use_generic_ptys(pki_apache_domain)
+')
+
+optional_policy(`
+ # apache permissions
+ apache_exec_modules(pki_apache_domain)
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
+ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
+
+ # should be started using a script which will execute httpd
+ # start up httpd in pki_apache_domain mode
+ #can_exec(pki_apache_domain, httpd_config_t)
+ #can_exec(pki_apache_domain, httpd_suexec_exec_t)
+')
+
+# allow rpm -q in init scripts
+optional_policy(`
+ rpm_exec(pki_apache_domain)
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
index 735500f..2ba6832 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
@@ -1,15 +1,14 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
index 30e751f..78fb7c6 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
-## Plymouth graphical boot.
+## Plymouth graphical boot
########################################
##
@@ -10,18 +10,17 @@
##
##
#
-interface(`plymouthd_domtrans',`
+interface(`plymouthd_domtrans', `
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')
########################################
##
-## Execute plymouthd in the caller domain.
+## Execute the plymoth daemon in the current domain
##
##
##
@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',`
##
##
#
-interface(`plymouthd_exec',`
+interface(`plymouthd_exec', `
gen_require(`
type plymouthd_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, plymouthd_exec_t)
')
########################################
##
-## Connect to plymouthd using a unix
-## domain stream socket.
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
##
##
##
@@ -49,18 +47,17 @@ interface(`plymouthd_exec',`
##
##
#
-interface(`plymouthd_stream_connect',`
+interface(`plymouthd_stream_connect', `
gen_require(`
- type plymouthd_t, plymouthd_spool_t;
+ type plymouthd_t;
')
- files_search_spool($1)
- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+ allow $1 plymouthd_t:unix_stream_socket connectto;
')
########################################
##
-## Execute plymouth in the caller domain.
+## Execute the plymoth command in the current domain
##
##
##
@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',`
##
##
#
-interface(`plymouthd_exec_plymouth',`
+interface(`plymouthd_exec_plymouth', `
gen_require(`
type plymouth_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, plymouth_exec_t)
')
########################################
##
-## Execute a domain transition to run plymouth.
+## Execute a domain transition to run plymouthd.
##
##
##
@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',`
##
##
#
-interface(`plymouthd_domtrans_plymouth',`
+interface(`plymouthd_domtrans_plymouth', `
gen_require(`
type plymouth_t, plymouth_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')
@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',`
##
##
#
-interface(`plymouthd_search_spool',`
+interface(`plymouthd_search_spool', `
gen_require(`
type plymouthd_spool_t;
')
- files_search_spool($1)
allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
')
########################################
@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',`
##
##
#
-interface(`plymouthd_manage_spool_files',`
+interface(`plymouthd_manage_spool_files', `
gen_require(`
type plymouthd_spool_t;
')
@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',`
##
##
#
-interface(`plymouthd_search_lib',`
+interface(`plymouthd_search_lib', `
gen_require(`
type plymouthd_var_lib_t;
')
- files_search_var_lib($1)
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',`
##
##
#
-interface(`plymouthd_read_lib_files',`
+interface(`plymouthd_read_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',`
##
##
#
-interface(`plymouthd_manage_lib_files',`
+interface(`plymouthd_manage_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',`
########################################
##
-## Read plymouthd pid files.
+## Read plymouthd PID files.
##
##
##
@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',`
##
##
#
-interface(`plymouthd_read_pid_files',`
+interface(`plymouthd_read_pid_files', `
gen_require(`
type plymouthd_var_run_t;
')
@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#####################################
+##
+## Allow the specified domain to create plymouthd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_create_log',`
+ gen_require(`
+ type plymouthd_log_t;
+ ')
+
+ logging_search_logs($1)
+ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t)
+')
+
+
+########################################
+##
+## Allow the specified domain to manage
+## to plymouthd log files.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#######################################
+##
+## Allow domain to create boot.log
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_filetrans_named_content',`
+
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an plymouthd environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`plymouthd_admin',`
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
- allow $1 plymouthd_t:process { ptrace signal_perms };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
+ allow $1 plymouthd_t:process signal_perms;
+ ps_process_pattern($1, plymouthd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 plymouthd_t:process ptrace;
+ ')
- files_search_spool($1)
+ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
- files_search_var_lib($1)
admin_pattern($1, plymouthd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
index 3078ce9..c1a1267 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
+files_spool_file(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t)
########################################
#
-# Daemon local policy
+# Plymouthd private policy
#
allow plymouthd_t self:capability { sys_admin sys_tty_config };
-dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:capability2 block_suspend;
+dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
-miscfiles_read_localization(plymouthd_t)
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_read_passwd(plymouthd_t)
+
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
+userdom_read_admin_home_files(plymouthd_t)
+
+term_use_unallocated_ttys(plymouthd_t)
+
optional_policy(`
- gnome_read_generic_home_content(plymouthd_t)
+ gnome_read_config(plymouthd_t)
')
optional_policy(`
@@ -90,35 +96,33 @@ optional_policy(`
')
optional_policy(`
- xserver_manage_xdm_spool_files(plymouthd_t)
- xserver_read_xdm_state(plymouthd_t)
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
')
########################################
#
-# Client local policy
+# Plymouth private policy
#
allow plymouth_t self:process signal;
-allow plymouth_t self:fifo_file rw_fifo_file_perms;
+allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
-
kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)
domain_use_interactive_fds(plymouth_t)
-files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
-miscfiles_read_localization(plymouth_t)
sysnet_read_config(plymouth_t)
-ifdef(`hide_broken_symptoms',`
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
optional_policy(`
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
index 9123f71..5bf10ce 100644
--- a/podsleuth.te
+++ b/podsleuth.te
@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
#
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t)
dev_read_urand(podsleuth_t)
-files_read_etc_files(podsleuth_t)
fs_mount_dos_fs(podsleuth_t)
fs_unmount_dos_fs(podsleuth_t)
@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
fs_rw_removable_blk_files(podsleuth_t)
-miscfiles_read_localization(podsleuth_t)
-
sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
index 1d76c72..93d09d9 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -1,23 +1,22 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policykit.if b/policykit.if
index 032a84d..be00a65 100644
--- a/policykit.if
+++ b/policykit.if
@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_t, $1)
+
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',`
########################################
##
## Send and receive messages from
-## policykit auth over dbus.
+## policykit over dbus.
##
##
##
@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_auth_t, $1)
+
allow $1 policykit_auth_t:dbus send_msg;
allow policykit_auth_t $1:dbus send_msg;
')
@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',`
## Execute a domain transition to run polkit_auth.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`policykit_domtrans_auth',`
@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',`
type policykit_auth_t, policykit_auth_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
')
########################################
##
-## Execute a policy_auth in the policy
-## auth domain, and allow the specified
-## role the policy auth domain.
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
##
##
##
@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',`
## Role allowed access.
##
##
+##
#
interface(`policykit_run_auth',`
gen_require(`
- attribute_role policykit_auth_roles;
+ type policykit_auth_t;
')
policykit_domtrans_auth($1)
- roleattribute $2 policykit_auth_roles;
+ role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
')
########################################
##
-## Execute a domain transition to run polkit grant.
+## Execute a domain transition to run polkit_grant.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`policykit_domtrans_grant',`
@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',`
type policykit_grant_t, policykit_grant_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
')
########################################
##
-## Execute a policy_grant in the policy
-## grant domain, and allow the specified
-## role the policy grant domain.
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
##
##
##
@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',`
#
interface(`policykit_run_grant',`
gen_require(`
- attribute_role policykit_grant_roles;
+ type policykit_grant_t;
')
policykit_domtrans_grant($1)
- roleattribute $2 policykit_grant_roles;
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
')
########################################
##
-## Read policykit reload files.
+## read policykit reload files
##
##
##
@@ -154,7 +162,7 @@ interface(`policykit_read_reload',`
########################################
##
-## Read and write policykit reload files.
+## rw policykit reload files
##
##
##
@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',`
########################################
##
-## Execute a domain transition to run polkit resolve.
+## Execute a domain transition to run polkit_resolve.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`policykit_domtrans_resolve',`
@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',`
type policykit_resolve_t, policykit_resolve_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t, $1)
')
########################################
@@ -205,13 +214,13 @@ interface(`policykit_search_lib',`
type policykit_var_lib_t;
')
- files_search_var_lib($1)
allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
##
-## Read policykit lib files.
+## read policykit lib files
##
##
##
@@ -226,4 +235,50 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ optional_policy(`
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+ ')
+')
+
+#######################################
+##
+## The per role template for the policykit module.
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+template(`policykit_role',`
+ policykit_run_auth($2, $1)
+ policykit_run_grant($2, $1)
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
+
+########################################
+##
+## Send generic signal to policy_auth
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
index ee91778..9baeb1b 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
attribute policykit_domain;
-attribute_role policykit_auth_roles;
-attribute_role policykit_grant_roles;
-
type policykit_t, policykit_domain;
type policykit_exec_t;
init_daemon_domain(policykit_t, policykit_exec_t)
@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t)
type policykit_auth_t, policykit_domain;
type policykit_auth_exec_t;
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
-role policykit_auth_roles types policykit_auth_t;
type policykit_grant_t, policykit_domain;
type policykit_grant_exec_t;
init_system_domain(policykit_grant_t, policykit_grant_exec_t)
-role policykit_grant_roles types policykit_grant_t;
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t)
#######################################
#
-# Common policykit domain local policy
+# policykit_domain local policy
#
allow policykit_domain self:process { execmem getattr };
allow policykit_domain self:fifo_file rw_fifo_file_perms;
-kernel_search_proc(policykit_domain)
-
-corecmd_exec_bin(policykit_domain)
-
dev_read_sysfs(policykit_domain)
-files_read_usr_files(policykit_domain)
-
-logging_send_syslog_msg(policykit_domain)
-
-miscfiles_read_localization(policykit_domain)
-
########################################
#
-# Local policy
+# policykit local policy
#
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
-allow policykit_t self:unix_stream_socket { accept connectto listen };
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+policykit_domtrans_auth(policykit_t)
+allow policykit_t policykit_auth_t:process signal;
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+dev_read_sysfs(policykit_t)
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+policykit_domtrans_resolve(policykit_t)
+
manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
-can_exec(policykit_t, policykit_exec_t)
-
-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
-
-kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+kernel_read_kernel_sysctls(policykit_t)
domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
+fs_getattr_all_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_list_cgroup_dirs(policykit_t)
auth_use_nsswitch(policykit_t)
+init_list_pid_dirs(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
@@ -109,29 +109,43 @@ optional_policy(`
')
optional_policy(`
+ consolekit_list_pid_files(policykit_t)
consolekit_read_pid_files(policykit_t)
')
optional_policy(`
- gnome_read_generic_home_content(policykit_t)
+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
+ kerberos_manage_host_rcache(policykit_t)
')
optional_policy(`
- kerberos_manage_host_rcache(policykit_t)
- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
+ gnome_read_config(policykit_t)
+')
+
+optional_policy(`
+ systemd_read_logind_sessions_files(policykit_t)
+ systemd_login_list_pid_dirs(policykit_t)
+ systemd_login_read_pid_files(policykit_t)
')
########################################
#
-# Auth local policy
+# polkit_auth local policy
#
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
dontaudit policykit_auth_t self:capability sys_tty_config;
-allow policykit_auth_t self:process { getsched setsched signal };
-allow policykit_auth_t self:unix_stream_socket { accept listen };
+allow policykit_auth_t self:process { setsched getsched signal };
+
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
-ps_process_pattern(policykit_auth_t, policykit_domain)
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_exec_bin(policykit_auth_t)
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-can_exec(policykit_auth_t, policykit_auth_exec_t)
-
-kernel_read_system_state(policykit_auth_t)
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
+fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
+logging_send_syslog_msg(policykit_auth_t)
+
miscfiles_read_fonts(policykit_auth_t)
miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t)
- dbus_all_session_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
+ dbus_session_bus_client(policykit_auth_t)
optional_policy(`
consolekit_dbus_chat(policykit_auth_t)
')
-
- optional_policy(`
- policykit_dbus_chat(policykit_auth_t)
- ')
')
optional_policy(`
+ kernel_search_proc(policykit_auth_t)
hal_read_state(policykit_auth_t)
')
optional_policy(`
- kerberos_manage_host_rcache(policykit_auth_t)
- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
+ kerberos_manage_host_rcache(policykit_auth_t)
')
optional_policy(`
xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
')
########################################
#
-# Grant local policy
+# polkit_grant local policy
#
allow policykit_grant_t self:capability setuid;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-ps_process_pattern(policykit_grant_t, policykit_domain)
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
-can_exec(policykit_grant_t, policykit_grant_exec_t)
-
-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
auth_domtrans_chk_passwd(policykit_grant_t)
auth_use_nsswitch(policykit_grant_t)
+logging_send_syslog_msg(policykit_grant_t)
+
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
cron_manage_system_job_lib_files(policykit_grant_t)
')
-optional_policy(`
+ optional_policy(`
dbus_system_bus_client(policykit_grant_t)
-
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
@@ -235,26 +254,28 @@ optional_policy(`
########################################
#
-# Resolve local policy
+# polkit_resolve local policy
#
allow policykit_resolve_t self:capability { setuid sys_nice };
-allow policykit_resolve_t self:unix_stream_socket { accept listen };
-ps_process_pattern(policykit_resolve_t, policykit_domain)
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-
-mcs_ptrace_all(policykit_resolve_t)
auth_use_nsswitch(policykit_resolve_t)
+logging_send_syslog_msg(policykit_resolve_t)
+
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
@@ -266,6 +287,6 @@ optional_policy(`
')
optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
-
diff --git a/polipo.fc b/polipo.fc
index d35614b..11f77ee 100644
--- a/polipo.fc
+++ b/polipo.fc
@@ -1,15 +1,16 @@
-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0)
HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0)
+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
+
/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
index ae27bb7..d00f6ba 100644
--- a/polipo.if
+++ b/polipo.if
@@ -1,8 +1,8 @@
-## Lightweight forwarding and caching proxy server.
+## Caching web proxy.
########################################
##
-## Role access for Polipo session.
+## Role access for polipo session.
##
##
##
@@ -11,14 +11,13 @@
##
##
##
-## User domain for the role.
+## Domain allowed access.
##
##
#
template(`polipo_role',`
gen_require(`
- type polipo_session_t, polipo_exec_t, polipo_config_home_t;
- type polipo_cache_home_t;
+ type polipo_session_t, polipo_exec_t;
')
########################################
@@ -33,15 +32,11 @@ template(`polipo_role',`
# Policy
#
- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
-
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
-
- allow $2 polipo_session_t:process { ptrace signal_perms };
+ allow $2 polipo_session_t:process signal_perms;
ps_process_pattern($2, polipo_session_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 polipo_session_t:process ptrace;
+ ')
tunable_policy(`polipo_session_users',`
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
@@ -52,57 +47,129 @@ template(`polipo_role',`
########################################
##
-## Execute Polipo in the Polipo
-## system domain.
+## Create configuration files in user
+## home directories with a named file
+## type transition.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`polipo_initrc_domtrans',`
+interface(`polipo_named_filetrans_config_home_files',`
gen_require(`
- type polipo_initrc_exec_t;
+ type polipo_config_home_t;
')
- init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+##
+## Create cache directories in user
+## home directories with a named file
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polipo_named_filetrans_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
')
########################################
##
-## Create specified objects in generic
-## log directories with the polipo
-## log file type.
+## Create configuration files in admin
+## home directories with a named file
+## type transition.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`polipo_named_filetrans_admin_config_home_files',`
+ gen_require(`
+ type polipo_config_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+##
+## Create cache directories in admin
+## home directories with a named file
+## type transition.
+##
+##
##
-## Class of the object being created.
+## Domain allowed access.
##
##
-##
+#
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
+')
+
+########################################
+##
+## Create log files with a named file
+## type transition.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`polipo_log_filetrans_log',`
+interface(`polipo_named_filetrans_log_files',`
gen_require(`
type polipo_log_t;
')
- logging_log_filetrans($1, polipo_log_t, $2, $3)
+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
+')
+
+########################################
+##
+## Execute polipo server in the polipo domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`polipo_systemctl',`
+ gen_require(`
+ type polipo_t;
+ type polipo_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 polipo_unit_file_t:file read_file_perms;
+ allow $1 polipo_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, polipo_t)
')
########################################
##
-## All of the rules required to
-## administrate an polipo environment.
+## Administrate an polipo environment.
##
##
##
@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',`
#
interface(`polipo_admin',`
gen_require(`
- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
- type polipo_conf_t, polipo_log_t, polipo_var_run_t;
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ type polipo_unit_file_t;
')
- allow $1 polipo_system_t:process { ptrace signal_perms };
- ps_process_pattern($1, polipo_system_t)
+ allow $1 polipo_t:process signal_perms;
+ ps_process_pattern($1, polipo_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 polipo_t:process ptrace;
+ ')
- polipo_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 polipo_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var($1)
- admin_pattern($1, polipo_cache_t)
-
- files_search_etc($1)
- admin_pattern($1, polipo_conf_t)
+ files_list_etc($1)
+ admin_pattern($1, polipo_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, polipo_log_t)
- files_search_pids($1)
- admin_pattern($1, polipo_var_run_t)
+ files_list_var($1)
+ admin_pattern($1, polipo_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
+
+ polipo_systemctl($1)
+ admin_pattern($1, polipo_unit_file_t)
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
index 9764bfe..2d8d495 100644
--- a/polipo.te
+++ b/polipo.te
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
##
##
-## Determine whether Polipo system
-## daemon can access CIFS file systems.
+## Determine whether polipo can
+## access cifs file systems.
##
##
-gen_tunable(polipo_system_use_cifs, false)
+gen_tunable(polipo_use_cifs, false)
##
##
-## Determine whether Polipo system
-## daemon can access NFS file systems.
+## Determine whether Polipo can
+## access nfs file systems.
##
##
-gen_tunable(polipo_system_use_nfs, false)
+gen_tunable(polipo_use_nfs, false)
+
+##
+##
+## Determine whether Polipo session daemon
+## can bind tcp sockets to all unreserved ports.
+##
+##
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
##
##
@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false)
gen_tunable(polipo_session_users, false)
##
-##
-## Determine whether Polipo session daemon
-## can send syslog messages.
-##
+##
+## Allow polipo to connect to all ports > 1023
+##
##
-gen_tunable(polipo_session_send_syslog_msg, false)
+gen_tunable(polipo_connect_all_unreserved, false)
attribute polipo_daemon;
-type polipo_system_t, polipo_daemon;
+type polipo_t, polipo_daemon;
type polipo_exec_t;
-init_daemon_domain(polipo_system_t, polipo_exec_t)
+init_daemon_domain(polipo_t, polipo_exec_t)
type polipo_initrc_exec_t;
init_script_file(polipo_initrc_exec_t)
-type polipo_conf_t;
-files_config_file(polipo_conf_t)
+type polipo_etc_t;
+files_config_file(polipo_etc_t)
type polipo_cache_t;
files_type(polipo_cache_t)
@@ -56,116 +63,102 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
-type polipo_var_run_t;
-files_pid_file(polipo_var_run_t)
+type polipo_pid_t;
+files_pid_file(polipo_pid_t)
type polipo_session_t, polipo_daemon;
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
+application_domain(polipo_session_t, polipo_exec_t)
+ubac_constrained(polipo_session_t)
+
+type polipo_config_home_t;
+userdom_user_home_content(polipo_config_home_t)
type polipo_cache_home_t;
userdom_user_home_content(polipo_cache_home_t)
-type polipo_config_home_t;
-userdom_user_home_content(polipo_config_home_t)
+type polipo_unit_file_t;
+systemd_unit_file(polipo_unit_file_t)
########################################
#
-# Session local policy
+# Global local policy
#
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
-
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
-
-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
-tunable_policy(`polipo_session_send_syslog_msg',`
- logging_send_syslog_msg(polipo_session_t)
-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_session_t)
-')
+fs_search_auto_mountpoints(polipo_daemon)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(polipo_session_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_session_t)
-')
########################################
#
-# System local policy
+# Polipo local policy
#
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+files_var_filetrans(polipo_t, polipo_cache_t, dir)
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
+logging_log_filetrans(polipo_t, polipo_log_t, file)
-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t)
-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file)
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
+files_pid_filetrans(polipo_t, polipo_pid_t, file)
-auth_use_nsswitch(polipo_system_t)
+auth_use_nsswitch(polipo_t)
-logging_send_syslog_msg(polipo_system_t)
+logging_send_syslog_msg(polipo_t)
optional_policy(`
- cron_system_entry(polipo_system_t, polipo_exec_t)
+ cron_system_entry(polipo_t, polipo_exec_t)
+')
+
+tunable_policy(`polipo_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
-tunable_policy(`polipo_system_use_cifs',`
- fs_manage_cifs_files(polipo_system_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_system_t)
+tunable_policy(`polipo_use_cifs',`
+ fs_manage_cifs_files(polipo_t)
')
-tunable_policy(`polipo_system_use_nfs',`
- fs_manage_nfs_files(polipo_system_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_system_t)
+tunable_policy(`polipo_use_nfs',`
+ fs_manage_nfs_files(polipo_t)
')
########################################
#
-# Polipo global local policy
+# Polipo session local policy
#
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-allow polipo_daemon self:tcp_socket { listen accept };
-
-corenet_all_recvfrom_unlabeled(polipo_daemon)
-corenet_all_recvfrom_netlabel(polipo_daemon)
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_port(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
+auth_use_nsswitch(polipo_session_t)
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
+userdom_use_user_terminals(polipo_session_t)
corenet_sendrecv_tor_client_packets(polipo_daemon)
corenet_tcp_sendrecv_tor_port(polipo_daemon)
corenet_tcp_connect_tor_port(polipo_daemon)
-files_read_usr_files(polipo_daemon)
+logging_send_syslog_msg(polipo_session_t)
-fs_search_auto_mountpoints(polipo_daemon)
+userdom_home_manager(polipo_session_t)
+
+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
+')
-miscfiles_read_localization(polipo_daemon)
diff --git a/portage.if b/portage.if
index 67e8c12..18b89d7 100644
--- a/portage.if
+++ b/portage.if
@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
+ type portage_sandbox_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
diff --git a/portage.te b/portage.te
index b410c67..2713b26 100644
--- a/portage.te
+++ b/portage.te
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
-files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
-files_read_usr_files(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
fs_search_auto_mountpoints(portage_fetch_t)
diff --git a/portmap.fc b/portmap.fc
index cd45831..69406ee 100644
--- a/portmap.fc
+++ b/portmap.fc
@@ -4,9 +4,14 @@
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+')
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
index 18b255e..e75c4ec 100644
--- a/portmap.te
+++ b/portmap.te
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
-corenet_all_recvfrom_unlabeled(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t)
domain_use_interactive_fds(portmap_t)
+auth_use_nsswitch(portmap_t)
+
logging_send_syslog_msg(portmap_t)
-miscfiles_read_localization(portmap_t)
+sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)
@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen };
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
-corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t)
logging_send_syslog_msg(portmap_helper_t)
-userdom_use_user_terminals(portmap_helper_t)
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
diff --git a/portreserve.fc b/portreserve.fc
index 1b2b4f9..575b7d6 100644
--- a/portreserve.fc
+++ b/portreserve.fc
@@ -1,6 +1,6 @@
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --git a/portreserve.if b/portreserve.if
index 5ad5291..7f1ae2a 100644
--- a/portreserve.if
+++ b/portreserve.if
@@ -105,8 +105,11 @@ interface(`portreserve_admin',`
type portreserve_initrc_exec_t;
')
- allow $1 portreserve_t:process { ptrace signal_perms };
+ allow $1 portreserve_t:process signal_perms;
ps_process_pattern($1, portreserve_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 portreserve_t:process ptrace;
+ ')
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
index 00b01e2..47ab4d9 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
-corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
-files_read_etc_files(portreserve_t)
-
userdom_dontaudit_search_user_home_content(portreserve_t)
+
+optional_policy(`
+ sssd_search_lib(portreserve_t)
+')
diff --git a/portslave.te b/portslave.te
index cbe36c1..8ebeb87 100644
--- a/portslave.te
+++ b/portslave.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
-corenet_all_recvfrom_unlabeled(portslave_t)
corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t)
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
-term_use_all_ttys(portslave_t)
+term_use_all_inherited_ttys(portslave_t)
term_search_ptys(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
diff --git a/postfix.fc b/postfix.fc
index c0e8785..c0e0959 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,38 +1,38 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
-
-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-
+# postfix
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
@@ -44,14 +44,14 @@
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
index ded95ec..3cf7146 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
-## Postfix email server.
+## Postfix email server
########################################
##
@@ -16,13 +16,14 @@ interface(`postfix_stub',`
')
')
-#######################################
+########################################
##
-## The template to define a postfix domain.
+## Creates types and rules for a basic
+## postfix process domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
@@ -31,73 +32,69 @@ template(`postfix_domain_template',`
attribute postfix_domain;
')
- ########################################
- #
- # Declarations
- #
-
type postfix_$1_t, postfix_domain;
type postfix_$1_exec_t;
domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
- ########################################
- #
- # Policy
- #
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
+ kernel_read_system_state(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
')
-#######################################
+########################################
##
-## The template to define a postfix server domain.
+## Creates a postfix server process domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix of the domain.
##
##
#
template(`postfix_server_domain_template',`
- gen_require(`
- attribute postfix_server_domain, postfix_server_tmp_content;
- ')
-
- ########################################
- #
- # Declarations
- #
-
postfix_domain_template($1)
- typeattribute postfix_$1_t postfix_server_domain;
-
- type postfix_$1_tmp_t, postfix_server_tmp_content;
+ type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
- ########################################
- #
- # Declarations
- #
+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+ corenet_udp_sendrecv_generic_node(postfix_$1_t)
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
+ corenet_tcp_bind_generic_node(postfix_$1_t)
+ corenet_udp_bind_generic_node(postfix_$1_t)
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
')
-#######################################
+########################################
##
-## The template to define a postfix user domain.
+## Creates a process domain for programs
+## that are ran by users.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix of the domain.
##
##
#
@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',`
attribute postfix_user_domains, postfix_user_domtrans;
')
- ########################################
- #
- # Declarations
- #
-
postfix_domain_template($1)
typeattribute postfix_$1_t postfix_user_domains;
- ########################################
- #
- # Policy
- #
-
allow postfix_$1_t self:capability dac_override;
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
+
+ application_domain(postfix_$1_t, postfix_$1_exec_t)
')
########################################
##
-## Read postfix configuration content.
+## Read postfix configuration files.
##
##
##
@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
type postfix_etc_t;
')
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
- allow $1 postfix_etc_t:dir list_dir_perms;
- allow $1 postfix_etc_t:file read_file_perms;
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Create specified object in postfix
-## etc directories with a type transition.
+## Create files with the specified type in
+## the postfix configuration directories.
##
##
##
@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
type postfix_etc_t;
')
+ files_search_etc($1)
filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
')
@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
########################################
##
-## Read and write postfix local pipes.
+## Allow read/write postfix local pipes
+## TCP sockets.
##
##
##
@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
')
-########################################
+#######################################
##
-## Read postfix local process state files.
+## Allow read/write postfix public pipes
+## TCP sockets.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`postfix_read_local_state',`
- gen_require(`
- type postfix_local_t;
- ')
+interface(`postfix_rw_public_pipes',`
+ gen_require(`
+ type postfix_public_t;
+ ')
- kernel_search_proc($1)
- allow $1 postfix_local_t:dir list_dir_perms;
- allow $1 postfix_local_t:file read_file_perms;
- allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
')
########################################
##
-## Read and write inherited postfix master pipes.
+## Allow domain to read postfix local process state
##
##
##
@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
##
##
#
-interface(`postfix_rw_inherited_master_pipes',`
+interface(`postfix_read_local_state',`
gen_require(`
- type postfix_master_t;
+ type postfix_local_t;
')
- allow $1 postfix_master_t:fd use;
- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_local_t)
')
########################################
##
-## Read postfix master process state files.
+## Allow domain to read postfix master process state
##
##
##
@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
')
kernel_search_proc($1)
- allow $1 postfix_master_t:dir list_dir_perms;
- allow $1 postfix_master_t:file read_file_perms;
- allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
+ ps_process_pattern($1, postfix_master_t)
')
########################################
##
-## Use postfix master file descriptors.
+## Use postfix master process file
+## file descriptors.
##
##
##
@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
type postfix_map_t, postfix_map_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
')
########################################
##
-## Execute postfix map in the postfix
-## map domain, and allow the specified
-## role the postfix_map domain.
+## Execute postfix_map in the postfix_map domain, and
+## allow the specified role the postfix_map domain.
##
##
##
@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
#
interface(`postfix_run_map',`
gen_require(`
- attribute_role postfix_map_roles;
+ type postfix_map_t;
')
postfix_domtrans_map($1)
- roleattribute $2 postfix_map_roles;
+ role $2 types postfix_map_t;
')
########################################
##
-## Execute the master postfix program
-## in the postfix_master domain.
+## Execute the master postfix program in the
+## postfix_master domain.
##
##
##
@@ -380,16 +365,35 @@ interface(`postfix_run_map',`
interface(`postfix_domtrans_master',`
gen_require(`
type postfix_master_t, postfix_master_exec_t;
+ attribute postfix_domain;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
+
########################################
##
-## Execute the master postfix program
-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_initrc_domtrans',`
+ gen_require(`
+ type postfix_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
+########################################
+##
+## Execute the master postfix program in the
+## caller domain.
##
##
##
@@ -402,21 +406,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, postfix_master_exec_t)
')
#######################################
##
-## Connect to postfix master process
-## using a unix domain stream socket.
+## Connect to postfix master process using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
-##
#
interface(`postfix_stream_connect_master',`
gen_require(`
@@ -428,8 +429,7 @@ interface(`postfix_stream_connect_master',`
########################################
##
-## Read and write postfix master
-## unnamed pipes. (Deprecated)
+## Allow read/write postfix master pipes
##
##
##
@@ -437,15 +437,18 @@ interface(`postfix_stream_connect_master',`
##
##
#
-interface(`postfix_rw_master_pipes',`
- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
- postfix_rw_inherited_master_pipes($1)
+interface(`postfix_rw_inherited_master_pipes',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
## Execute the master postdrop in the
-## postfix postdrop domain.
+## postfix_postdrop domain.
##
##
##
@@ -458,14 +461,13 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
')
########################################
##
## Execute the master postqueue in the
-## postfix postqueue domain.
+## postfix_postqueue domain.
##
##
##
@@ -478,30 +480,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
')
-#######################################
+########################################
##
-## Execute the master postqueue in
-## the caller domain. (Deprecated)
+## Execute the master postqueue in the
+## postfix_postdrop domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+##
+#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t;
+ ')
+
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
+')
+
+########################################
+##
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
+ type postfix_postgqueue_exec_t;
+ ')
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
+')
+
+########################################
+##
+## Execute postfix_postgqueue in the postfix_postgqueue domain, and
+## allow the specified role the postfix_postgqueue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
##
##
+##
#
-interface(`posftix_exec_postqueue',`
- refpolicywarn(`$0($*) has been deprecated.')
- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
+ ')
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
')
+
#######################################
##
-## Execute postfix postqueue in
-## the caller domain.
+## Execute the master postqueue in the caller domain.
##
##
##
@@ -514,13 +571,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, postfix_postqueue_exec_t)
')
########################################
##
-## Create postfix private sock files.
+## Create a named socket in a postfix private directory.
##
##
##
@@ -533,13 +589,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
+ allow $1 postfix_private_t:dir list_dir_perms;
create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')
########################################
##
-## Create, read, write, and delete
-## postfix private sock files.
+## manage named socket in a postfix private directory.
##
##
##
@@ -552,13 +608,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
+ allow $1 postfix_private_t:dir list_dir_perms;
manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
')
########################################
##
-## Execute the smtp postfix program
-## in the postfix smtp domain.
+## Execute the master postfix program in the
+## postfix_master domain.
##
##
##
@@ -571,14 +628,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
')
########################################
##
-## Get attributes of all postfix mail
-## spool files.
+## Getattr postfix mail spool files.
##
##
##
@@ -586,7 +641,7 @@ interface(`postfix_domtrans_smtp',`
##
##
#
-interface(`postfix_getattr_all_spool_files',`
+interface(`postfix_getattr_spool_files',`
gen_require(`
attribute postfix_spool_type;
')
@@ -607,11 +662,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
- allow $1 postfix_spool_t:dir search_dir_perms;
')
########################################
@@ -626,11 +681,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
- allow $1 postfix_spool_t:dir list_dir_perms;
')
########################################
@@ -645,17 +700,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
##
-## Create, read, write, and delete
-## postfix mail spool files.
+## Create, read, write, and delete postfix mail spool files.
##
##
##
@@ -665,11 +719,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+#######################################
+##
+## Read, write, and delete postfix maildrop spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_rw_spool_maildrop_files',`
+ gen_require(`
+ type postfix_spool_maildrop_t;
+ ')
+
+ files_search_spool($1)
+ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete postfix maildrop spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_manage_spool_maildrop_files',`
+ gen_require(`
+ type postfix_spool_maildrop_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')
########################################
@@ -693,8 +786,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
##
-## All of the rules required to
-## administrate an postfix environment.
+## All of the rules required to administrate
+## an postfix environment.
##
##
##
@@ -710,38 +803,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
- type postfix_keytab_t;
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
+ allow $1 postfix_bounce_t:process signal_perms;
+ ps_process_pattern($1, postfix_bounce_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_bounce_t:process ptrace;
')
- allow $1 postfix_domain:process { ptrace signal_perms };
- ps_process_pattern($1, postfix_domain)
+ allow $1 postfix_cleanup_t:process signal_perms;
+ ps_process_pattern($1, postfix_cleanup_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_cleanup_t:process ptrace;
+ allow $1 postfix_local_t:process ptrace;
+ allow $1 postfix_master_t:process ptrace;
+ allow $1 postfix_pickup_t:process ptrace;
+ allow $1 postfix_qmgr_t:process ptrace;
+ allow $1 postfix_smtpd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ allow $1 postfix_local_t:process signal_perms;
+ ps_process_pattern($1, postfix_local_t)
+
+ allow $1 postfix_master_t:process signal_perms;
+ ps_process_pattern($1, postfix_master_t)
+
+ allow $1 postfix_pickup_t:process signal_perms;
+ ps_process_pattern($1, postfix_pickup_t)
+
+ allow $1 postfix_qmgr_t:process signal_perms;
+ ps_process_pattern($1, postfix_qmgr_t)
+
+ allow $1 postfix_smtpd_t:process signal_perms;
+ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
+ postfix_run_postqueue($1, $2)
+
+ postfix_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 postfix_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ admin_pattern($1, postfix_data_t)
- files_search_spool($1)
- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
- files_search_var_lib($1)
- admin_pattern($1, postfix_data_t)
+ files_list_spool($1)
+ admin_pattern($1, postfix_spool_type)
- files_search_pids($1)
admin_pattern($1, postfix_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
- postfix_exec_master($1)
- postfix_exec_postqueue($1)
- postfix_stream_connect_master($1)
- postfix_run_map($1, $2)
+ admin_pattern($1, postfix_public_t)
+
+ postfix_filetrans_named_content($1)
+')
+
+########################################
+##
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+##
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
+')
+
+
+########################################
+##
+## Execute postfix exec in the users domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_exec',`
+ gen_require(`
+ type postfix_exec_t;
+ ')
+
+ can_exec($1, postfix_exec_t)
+')
+
+########################################
+##
+## Transition to postfix named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_filetrans_named_content',`
+ gen_require(`
+ type postfix_exec_t;
+ type postfix_prng_t;
+ ')
+
+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
index 5cfb83e..efec4cc 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
#
##
-##
-## Determine whether postfix local
-## can manage mail spool content.
-##
+##
+## Allow postfix_local domain full write access to mail_spool directories
+##
##
gen_tunable(postfix_local_write_mail_spool, true)
attribute postfix_domain;
-attribute postfix_server_domain;
-attribute postfix_server_tmp_content;
attribute postfix_spool_type;
attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
attribute postfix_user_domtrans;
-attribute_role postfix_map_roles;
-roleattribute system_r postfix_map_roles;
-
postfix_server_domain_template(bounce)
type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
+files_spool_file(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
@@ -42,16 +38,19 @@ files_type(postfix_keytab_t)
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
-role postfix_map_roles types postfix_map_t;
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
postfix_domain_template(master)
typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
@@ -63,6 +62,7 @@ postfix_server_domain_template(pipe)
postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
+mta_agent_executable(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
mta_mailserver_user_agent(postfix_postqueue_t)
@@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
+files_spool_file(postfix_spool_maildrop_t)
type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
files_type(postfix_public_t)
@@ -97,6 +97,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
+# the data_directory config parameter
type postfix_data_t;
files_type(postfix_data_t)
@@ -105,109 +106,22 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
-# Common postfix domain local policy
-#
-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
-allow postfix_domain self:fifo_file rw_fifo_file_perms;
-allow postfix_domain self:unix_stream_socket { accept connectto listen };
-
-allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
-
-allow postfix_domain postfix_master_t:file read_file_perms;
-
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
-
-allow postfix_domain postfix_master_t:process sigchld;
-
-allow postfix_domain postfix_spool_t:dir list_dir_perms;
-
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
-
-kernel_read_system_state(postfix_domain)
-kernel_read_network_state(postfix_domain)
-kernel_read_all_sysctls(postfix_domain)
-
-dev_read_sysfs(postfix_domain)
-dev_read_rand(postfix_domain)
-dev_read_urand(postfix_domain)
-
-fs_search_auto_mountpoints(postfix_domain)
-fs_getattr_all_fs(postfix_domain)
-fs_rw_anon_inodefs_files(postfix_domain)
-
-term_dontaudit_use_console(postfix_domain)
-
-corecmd_exec_shell(postfix_domain)
-
-files_read_etc_runtime_files(postfix_domain)
-files_read_usr_files(postfix_domain)
-files_search_spool(postfix_domain)
-files_getattr_tmp_dirs(postfix_domain)
-files_search_all_mountpoints(postfix_domain)
-
-init_dontaudit_use_fds(postfix_domain)
-init_sigchld(postfix_domain)
-
-logging_send_syslog_msg(postfix_domain)
-
-miscfiles_read_localization(postfix_domain)
-miscfiles_read_generic_certs(postfix_domain)
-
-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
-
-optional_policy(`
- udev_read_db(postfix_domain)
-')
-
-########################################
-#
-# Common postfix server domain local policy
-#
-
-allow postfix_server_domain self:capability { setuid setgid dac_override };
-
-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-corenet_all_recvfrom_unlabeled(postfix_server_domain)
-corenet_all_recvfrom_netlabel(postfix_server_domain)
-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
-
-corenet_sendrecv_all_client_packets(postfix_server_domain)
-corenet_tcp_connect_all_ports(postfix_server_domain)
-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
-
-########################################
-#
-# Common postfix user domain local policy
-#
-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
-
-########################################
-#
-# Master local policy
+# Postfix master process local policy
#
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
+
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
-allow postfix_master_t postfix_domain:process signal;
-
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+can_exec(postfix_master_t, postfix_exec_t)
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
@@ -216,34 +130,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -253,16 +165,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
+kernel_read_all_sysctls(postfix_master_t)
-can_exec(postfix_master_t, postfix_exec_t)
-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
@@ -270,50 +174,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
-
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
-
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-
-corenet_sendrecv_spamd_server_packets(postfix_master_t)
-corenet_tcp_bind_spamd_port(postfix_master_t)
-
-corenet_sendrecv_all_client_packets(postfix_master_t)
corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+# for spampd
+corenet_tcp_bind_spamd_port(postfix_master_t)
-# Can this be conditional?
-corenet_sendrecv_all_server_packets(postfix_master_t)
-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
-
+# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
+corecmd_exec_shell(postfix_master_t)
corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
+files_search_var_lib(postfix_master_t)
files_search_tmp(postfix_master_t)
-mcs_file_read_all(postfix_master_t)
-
term_dontaudit_search_ptys(postfix_master_t)
-miscfiles_read_man_pages(postfix_master_t)
-
seutil_sigchld_newrole(postfix_master_t)
-seutil_dontaudit_search_config(postfix_master_t)
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
+mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
mta_getattr_spool(postfix_master_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
+')
+
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
@@ -324,14 +222,6 @@ optional_policy(`
')
optional_policy(`
- mailman_manage_data_files(postfix_master_t)
-')
-
-optional_policy(`
- mysql_stream_connect(postfix_master_t)
-')
-
-optional_policy(`
postgrey_search_spool(postfix_master_t)
')
@@ -341,12 +231,14 @@ optional_policy(`
########################################
#
-# Bounce local policy
+# Postfix bounce local policy
#
allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -363,37 +255,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
-# Cleanup local policy
+# Postfix cleanup local policy
#
allow postfix_cleanup_t self:process setrlimit;
-
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
-
-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+# connect to master process
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
-
-mta_read_aliases(postfix_cleanup_t)
+# allow postfix to connect to sqlgrey
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
@@ -401,36 +290,50 @@ optional_policy(`
########################################
#
-# Local local policy
+# Postfix local local policy
#
-allow postfix_local_t self:capability chown;
-allow postfix_local_t self:process setrlimit;
+allow postfix_local_t self:process { setsched setrlimit };
+# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t)
logging_dontaudit_search_logs(postfix_local_t)
mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
+# Handle vacation script
mta_send_mail(postfix_local_t)
+userdom_read_user_home_content_files(postfix_local_t)
+userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files(postfix_local_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files(postfix_local_t)
+')
+
tunable_policy(`postfix_local_write_mail_spool',`
mta_manage_spool(postfix_local_t)
')
optional_policy(`
- clamav_search_lib(postfix_local_t)
- clamav_exec_clamscan(postfix_local_t)
+ antivirus_search_db(postfix_local_t)
+ antivirus_exec(postfix_local_t)
+ antivirus_stream_connect(postfix_domain)
')
optional_policy(`
@@ -442,6 +345,7 @@ optional_policy(`
')
optional_policy(`
+# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
@@ -452,6 +356,10 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(postfix_local_t)
+')
+
+optional_policy(`
procmail_domtrans(postfix_local_t)
')
@@ -466,15 +374,17 @@ optional_policy(`
########################################
#
-# Map local policy
+# Postfix map local policy
#
-
allow postfix_map_t self:capability { dac_override setgid setuid };
-allow postfix_map_t self:tcp_socket { accept listen };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -484,14 +394,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_all_recvfrom_unlabeled(postfix_map_t)
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
corenet_tcp_sendrecv_generic_node(postfix_map_t)
-
-corenet_sendrecv_all_client_packets(postfix_map_t)
-corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
@@ -500,7 +411,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
-files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
@@ -508,21 +418,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
-miscfiles_read_localization(postfix_map_t)
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
optional_policy(`
+# for postalias
mailman_manage_data_files(postfix_map_t)
')
########################################
#
-# Pickup local policy
+# Postfix pickup local policy
#
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -532,16 +443,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+postfix_list_spool(postfix_pickup_t)
+
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
########################################
#
-# Pipe local policy
+# Postfix pipe local policy
#
allow postfix_pipe_t self:process setrlimit;
@@ -584,19 +494,26 @@ optional_policy(`
########################################
#
-# Postdrop local policy
+# Postfix postdrop local policy
#
+# usually it does not need a UDP socket
allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+postfix_list_spool(postfix_postdrop_t)
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
-
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -611,10 +528,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-optional_policy(`
- fail2ban_dontaudit_use_fds(postfix_postdrop_t)
-')
-
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
@@ -629,17 +543,24 @@ optional_policy(`
#######################################
#
-# Postqueue local policy
+# Postfix postqueue local policy
#
+allow postfix_postqueue_t self:capability2 block_suspend;
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
+# write to /var/spool/postfix/public/qmgr
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
+# to write the mailq output, it really should not need read access!
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -655,69 +576,78 @@ optional_policy(`
########################################
#
-# Qmgr local policy
+# Postfix qmgr local policy
#
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
-
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
+# for /var/spool/postfix/active
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
corecmd_exec_bin(postfix_qmgr_t)
########################################
#
-# Showq local policy
+# Postfix showq local policy
#
allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-allow postfix_showq_t postfix_spool_t:file read_file_perms;
-
-mcs_file_read_all(postfix_showq_t)
-
+# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
########################################
#
-# Smtp delivery local policy
+# Postfix smtp delivery local policy
#
+# connect to master process
allow postfix_smtp_t self:capability sys_chroot;
-
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
corenet_tcp_bind_generic_node(postfix_smtp_t)
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+
+files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
optional_policy(`
- dovecot_stream_connect(postfix_smtp_t)
+ dovecot_stream_connect(postfix_smtp_t)
')
optional_policy(`
@@ -730,29 +660,30 @@ optional_policy(`
########################################
#
-# Smtpd local policy
+# Postfix smtpd local policy
#
-
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+# connect to master process
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
-
corecmd_exec_bin(postfix_smtpd_t)
+# for OpenSSL certificates
+
+# postfix checks the size of all mounted file systems
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
-
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
@@ -764,6 +695,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
+ spamassassin_read_pid_files(postfix_smtpd_t)
')
optional_policy(`
@@ -774,31 +706,100 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
-optional_policy(`
- spamassassin_read_spamd_pid_files(postfix_smtpd_t)
- spamassassin_stream_connect_spamd(postfix_smtpd_t)
-')
-
########################################
#
-# Virtual local policy
+# Postfix virtual local policy
#
-allow postfix_virtual_t self:process setrlimit;
+allow postfix_virtual_t self:process { setsched setrlimit };
-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t)
+# connect to master process
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
-mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_filetrans_home_content(postfix_virtual_t)
+
+########################################
+#
+# postfix_domain common policy
+#
+allow postfix_domain self:capability { sys_nice sys_chroot };
+dontaudit postfix_domain self:capability sys_tty_config;
+allow postfix_domain self:process { signal_perms setpgid setsched };
+allow postfix_domain self:unix_dgram_socket create_socket_perms;
+allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
+allow postfix_domain self:unix_stream_socket connectto;
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
+
+allow postfix_master_t postfix_domain:fifo_file { read write };
+allow postfix_master_t postfix_domain:process signal;
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+allow postfix_domain postfix_master_t:file read;
+allow postfix_domain postfix_etc_t:dir list_dir_perms;
+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+
+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+
+allow postfix_domain postfix_master_t:process sigchld;
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
+kernel_read_all_sysctls(postfix_domain)
+
+dev_read_sysfs(postfix_domain)
+dev_read_rand(postfix_domain)
+dev_read_urand(postfix_domain)
+
+fs_search_auto_mountpoints(postfix_domain)
+fs_getattr_xattr_fs(postfix_domain)
+fs_rw_anon_inodefs_files(postfix_domain)
+
+term_dontaudit_use_console(postfix_domain)
+
+corecmd_exec_shell(postfix_domain)
+corecmd_getattr_all_executables(postfix_domain)
+
+files_read_etc_runtime_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
+files_search_spool(postfix_domain)
+files_list_tmp(postfix_domain)
+files_search_all_mountpoints(postfix_domain)
+
+init_dontaudit_use_fds(postfix_domain)
+init_sigchld(postfix_domain)
+init_dontaudit_rw_stream_socket(postfix_domain)
+
+# For reading spamassasin
+mta_read_config(postfix_domain)
+mta_read_aliases(postfix_domain)
+
+miscfiles_read_generic_certs(postfix_domain)
+
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+
+optional_policy(`
+ mysql_stream_connect(postfix_domain)
+')
+
+optional_policy(`
+ spamd_stream_connect(postfix_domain)
+ spamassassin_domtrans_client(postfix_domain)
+')
+
+optional_policy(`
+ udev_read_db(postfix_domain)
+')
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
index 5de8173..985b877 100644
--- a/postfixpolicyd.if
+++ b/postfixpolicyd.if
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ allow $1 postfix_policyd_t:process signal_perms;
ps_process_pattern($1, postfix_policyd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_policyd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
index ea1582a..0c1a059 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
corenet_tcp_bind_generic_node(postfix_policyd_t)
@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
-files_read_etc_files(postfix_policyd_t)
-files_read_usr_files(postfix_policyd_t)
logging_send_syslog_msg(postfix_policyd_t)
-miscfiles_read_localization(postfix_policyd_t)
-
sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/postgrey.if b/postgrey.if
index b9e71b5..a7502cd 100644
--- a/postgrey.if
+++ b/postgrey.if
@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
files_search_spool($1)
- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
')
########################################
@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
- type postgrey_t, postgrey_etc_t, postgrey_spool_t;
- type postgrey_var_lib_t, postgrey_var_run_t;
- type postgrey_initrc_exec_t;
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
')
- allow $1 postgrey_t:process { ptrace signal_perms };
+ allow $1 postgrey_t:process signal_perms;
ps_process_pattern($1, postgrey_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postgrey_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
index fd58805..3b2474d 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
type postgrey_spool_t;
-files_type(postgrey_spool_t)
+files_spool_file(postgrey_spool_t)
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t)
corecmd_search_bin(postgrey_t)
-corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_generic_node(postgrey_t)
@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t)
domain_use_interactive_fds(postgrey_t)
-files_read_etc_files(postgrey_t)
files_read_etc_runtime_files(postgrey_t)
-files_read_usr_files(postgrey_t)
files_getattr_tmp_dirs(postgrey_t)
fs_getattr_all_fs(postgrey_t)
fs_search_auto_mountpoints(postgrey_t)
-logging_send_syslog_msg(postgrey_t)
+auth_read_passwd(postgrey_t)
-miscfiles_read_localization(postgrey_t)
+logging_send_syslog_msg(postgrey_t)
sysnet_read_config(postgrey_t)
diff --git a/ppp.fc b/ppp.fc
index efcb653..ff2c96a 100644
--- a/ppp.fc
+++ b/ppp.fc
@@ -1,30 +1,45 @@
-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /sbin
+#
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
-
-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0)
+#
+# /usr
+#
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /var
+#
/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
index cd8b8b9..6c73980 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
-## Point to Point Protocol daemon creates links in ppp networks.
+## Point to Point Protocol daemon creates links in ppp networks
-########################################
+#######################################
##
-## Role access for ppp.
+## Create, read, write, and delete
+## ppp home files.
##
-##
-##
-## Role allowed access.
-##
-##
##
-##
-## User domain for the role.
-##
-##
-#
-interface(`ppp_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-##
-## Create, read, write, and delete
-## ppp home files.
-##
-##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`ppp_manage_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file manage_file_perms;
')
-########################################
+#######################################
##
-## Read ppp user home content files.
+## Read ppp user home content files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`ppp_read_home_files',`
- gen_require(`
- type ppp_home_t;
+ gen_require(`
+ type ppp_home_t;
- ')
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file read_file_perms;
')
-########################################
+#######################################
##
-## Relabel ppp home files.
+## Relabel ppp home files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`ppp_relabel_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_search_user_home_dirs($1)
- allow $1 ppp_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+ allow $1 ppp_home_t:file relabel_file_perms;
')
-########################################
+#######################################
##
-## Create objects in user home
-## directories with the ppp home type.
+## Create objects in user home
+## directories with the ppp home type.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
##
-##
-## Class of the object being created.
-##
+##
+## Class of the object being created.
+##
##
##
-##
-## The name of the object being created.
-##
+##
+## The name of the object being created.
+##
##
#
interface(`ppp_home_filetrans_ppp_home',`
- gen_require(`
- type ppp_home_t;
- ')
+ gen_require(`
+ type ppp_home_t;
+ ')
- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
+ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
')
########################################
@@ -128,7 +109,7 @@ interface(`ppp_use_fds',`
########################################
##
## Do not audit attempts to inherit
-## and use ppp file discriptors.
+## and use PPP file discriptors.
##
##
##
@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',`
########################################
##
-## Send child terminated signals to ppp.
+## Send a SIGCHLD signal to PPP.
##
##
##
@@ -165,7 +146,7 @@ interface(`ppp_sigchld',`
########################################
##
-## Send kill signals to ppp.
+## Send ppp a kill signal
##
##
##
@@ -173,7 +154,6 @@ interface(`ppp_sigchld',`
##
##
#
-#
interface(`ppp_kill',`
gen_require(`
type pppd_t;
@@ -184,7 +164,7 @@ interface(`ppp_kill',`
########################################
##
-## Send generic signals to ppp.
+## Send a generic signal to PPP.
##
##
##
@@ -202,7 +182,7 @@ interface(`ppp_signal',`
########################################
##
-## Send null signals to ppp.
+## Send a generic signull to PPP.
##
##
##
@@ -220,7 +200,7 @@ interface(`ppp_signull',`
########################################
##
-## Execute pppd in the pppd domain.
+## Execute domain in the ppp domain.
##
##
##
@@ -239,8 +219,7 @@ interface(`ppp_domtrans',`
########################################
##
-## Conditionally execute pppd on
-## behalf of a user or staff type.
+## Conditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
@@ -249,7 +228,7 @@ interface(`ppp_domtrans',`
##
##
##
-## Role allowed access.
+## The role to allow the ppp domain.
##
##
##
@@ -268,8 +247,7 @@ interface(`ppp_run_cond',`
########################################
##
-## Unconditionally execute ppp daemon
-## on behalf of a user or staff type.
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
@@ -278,7 +256,7 @@ interface(`ppp_run_cond',`
##
##
##
-## Role allowed access.
+## The role to allow the ppp domain.
##
##
##
@@ -294,7 +272,7 @@ interface(`ppp_run',`
########################################
##
-## Execute domain in the caller domain.
+## Execute domain in the ppp caller.
##
##
##
@@ -326,13 +304,13 @@ interface(`ppp_read_config',`
type pppd_etc_t;
')
- files_search_etc($1)
read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
')
########################################
##
-## Read ppp writable configuration content.
+## Read PPP-writable configuration files.
##
##
##
@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',`
type pppd_etc_t, pppd_etc_rw_t;
')
- files_search_etc($1)
- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms;
+ allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_etc_rw_t:file read_file_perms;
- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
########################################
##
-## Read ppp secret files.
+## Read PPP secrets.
##
##
##
@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',`
type pppd_etc_t, pppd_secret_t;
')
- files_search_etc($1)
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_secret_t:file read_file_perms;
- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
')
########################################
##
-## Read ppp pid files.
+## Read PPP pid files.
##
##
##
@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',`
')
files_search_pids($1)
- allow $1 pppd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
##
-## Create, read, write, and delete
-## ppp pid files.
+## Create, read, write, and delete PPP pid files.
##
##
##
@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
')
files_search_pids($1)
- allow $1 pppd_var_run_t:file manage_file_perms;
+ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
##
-## Create specified pppd pid objects
-## with a type transition.
+## Create, read, write, and delete PPP pid files.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
interface(`ppp_pid_filetrans',`
gen_require(`
type pppd_var_run_t;
')
- files_pid_filetrans($1, pppd_var_run_t, $2, $3)
+ files_pid_filetrans($1, pppd_var_run_t, file)
')
########################################
##
-## Execute pppd init script in
-## the initrc domain.
+## Execute ppp server in the ntpd domain.
##
##
##
@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',`
########################################
##
-## All of the rules required to
-## administrate an ppp environment.
+## Execute pppd server in the pppd domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
+#
+interface(`ppp_systemctl',`
+ gen_require(`
+ type pppd_unit_file_t;
+ type pppd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pppd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ppp environment
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
+##
+##
+## Role allowed access.
+##
+##
##
#
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t;
- type pppd_var_run_t, pppd_initrc_exec_t;
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
+ type pppd_unit_file_t;
+ ')
+
+ allow $1 pppd_t:process signal_perms;
+ ps_process_pattern($1, pppd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pppd_t:process ptrace;
+ allow $1 pptp_t:process ptrace;
')
- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { pptp_t pppd_t })
+ allow $1 pptp_t:process signal_perms;
+ ps_process_pattern($1, pptp_t)
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -496,14 +490,26 @@ interface(`ppp_admin',`
admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
- admin_pattern($1, { pptp_log_t pppd_log_t })
+ admin_pattern($1, pppd_log_t)
files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t })
+ admin_pattern($1, pppd_etc_t)
+
+ admin_pattern($1, pppd_etc_rw_t)
+
+ admin_pattern($1, pppd_secret_t)
files_list_pids($1)
- admin_pattern($1, { pptp_var_run_t pppd_var_run_t })
+ admin_pattern($1, pppd_var_run_t)
+
+ admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
+ admin_pattern($1, pppd_unit_file_t)
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
index d616ca3..fd72341 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
#
##
-##
-## Determine whether pppd can
-## load kernel modules.
-##
+##
+## Allow pppd to load kernel modules for certain modems
+##
##
gen_tunable(pppd_can_insmod, false)
##
-##
-## Determine whether common users can
-## run pppd with a domain transition.
-##
+##
+## Allow pppd to be run for a regular user
+##
##
gen_tunable(pppd_for_user, false)
attribute_role pppd_roles;
-attribute_role pptp_roles;
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
role pppd_roles types pppd_t;
+role system_r types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
+# Define a separate type for /etc/ppp
type pppd_etc_t;
files_config_file(pppd_etc_t)
+# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
+# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)
@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
-role pptp_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t;
files_pid_file(pptp_var_run_t)
-type ppp_home_t;
-userdom_user_home_content(ppp_home_t)
-
########################################
#
-# PPPD local policy
+# PPPD Local policy
#
allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
-allow pppd_t self:netlink_route_socket nlmsg_write;
-allow pppd_t self:tcp_socket { accept listen };
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
logging_log_filetrans(pppd_t, pppd_log_t, file)
manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-can_exec(pppd_t, pppd_exec_t)
-
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
-
allow pppd_t pptp_t:process signal;
+# for SSP
+# Access secret files
allow pppd_t pppd_secret_t:file read_file_perms;
+ppp_initrc_domtrans(pppd_t)
+
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t)
kernel_request_load_module(pppd_t)
dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
dev_rw_modem(pppd_t)
-corenet_all_recvfrom_unlabeled(pppd_t)
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
-
+# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_use_usb_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+term_use_generic_ptys(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
+# for scripts
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
-auth_run_chk_passwd(pppd_t, pppd_roles)
auth_use_nsswitch(pppd_t)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-miscfiles_read_localization(pppd_t)
-
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
+userdom_search_admin_dir(pppd_t)
+
+ppp_exec(pppd_t)
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
@@ -186,11 +203,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
+ l2tpd_read_pid_files(pppd_t)
+ l2tpd_dbus_chat(pppd_t)
')
optional_policy(`
tunable_policy(`pppd_can_insmod',`
- modutils_domtrans_insmod(pppd_t)
+ modutils_domtrans_insmod_uncond(pppd_t)
')
')
@@ -218,16 +237,19 @@ optional_policy(`
########################################
#
-# PPTP local policy
+# PPTP Local policy
#
allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
-allow pptp_t self:unix_stream_socket { accept connectto listen };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:netlink_route_socket nlmsg_write;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append_file_perms;
-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
-
-can_exec(pptp_t, pppd_etc_rw_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
+kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_network_state(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
kernel_signal(pptp_t)
+dev_read_sysfs(pptp_t)
+
corecmd_exec_shell(pptp_t)
corecmd_read_bin_symlinks(pptp_t)
-corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
-
-corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
-
-corenet_sendrecv_pptp_client_packets(pptp_t)
corenet_tcp_connect_pptp_port(pptp_t)
-dev_read_sysfs(pptp_t)
-
-domain_use_interactive_fds(pptp_t)
-
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
+domain_use_interactive_fds(pptp_t)
+
auth_use_nsswitch(pptp_t)
logging_send_syslog_msg(pptp_t)
-miscfiles_read_localization(pptp_t)
-
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +319,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(pppd_t)
+')
+
+optional_policy(`
dbus_system_domain(pppd_t, pppd_exec_t)
optional_policy(`
diff --git a/prelink.fc b/prelink.fc
index a90d623..62af9a4 100644
--- a/prelink.fc
+++ b/prelink.fc
@@ -1,11 +1,11 @@
/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.if b/prelink.if
index 20d4697..e6605c1 100644
--- a/prelink.if
+++ b/prelink.if
@@ -2,7 +2,7 @@
########################################
##
-## Execute prelink in the prelink domain.
+## Execute the prelink program in the prelink domain.
##
##
##
@@ -18,15 +18,15 @@ interface(`prelink_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
- ifdef(`hide_broken_symptoms',`
+ ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
+ dontaudit prelink_t $1:fifo_file setattr;
')
')
########################################
##
-## Execute prelink in the caller domain.
+## Execute the prelink program in the current domain.
##
##
##
@@ -45,9 +45,7 @@ interface(`prelink_exec',`
########################################
##
-## Execute prelink in the prelink
-## domain, and allow the specified role
-## the prelink domain.
+## Execute the prelink program in the prelink domain.
##
##
##
@@ -56,18 +54,18 @@ interface(`prelink_exec',`
##
##
##
-## Role allowed access.
+## The role to allow the prelink domain.
##
##
##
#
interface(`prelink_run',`
gen_require(`
- attribute_role prelink_roles;
+ type prelink_t;
')
prelink_domtrans($1)
- roleattribute $2 prelink_roles;
+ role $2 types prelink_t;
')
########################################
@@ -80,6 +78,7 @@ interface(`prelink_run',`
##
##
#
+# cjp: added for misc non-entrypoint objects
interface(`prelink_object_file',`
gen_require(`
attribute prelink_object;
@@ -90,7 +89,7 @@ interface(`prelink_object_file',`
########################################
##
-## Read prelink cache files.
+## Read the prelink cache.
##
##
##
@@ -109,7 +108,7 @@ interface(`prelink_read_cache',`
########################################
##
-## Delete prelink cache files.
+## Delete the prelink cache.
##
##
##
@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',`
type prelink_cache_t;
')
+ allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
- allow $1 prelink_cache_t:file delete_file_perms;
')
########################################
@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',`
########################################
##
-## Relabel from prelink lib files.
+## Relabel from files in the /boot directory.
##
##
##
@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',`
########################################
##
-## Relabel prelink lib files.
+## Relabel from files in the /boot directory.
##
##
##
@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',`
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
+
+########################################
+##
+## Transition to prelink named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_filetrans_named_content',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
index 8e26216..d59dc50 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
attribute prelink_object;
-attribute_role prelink_roles;
-
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
-role prelink_roles types prelink_t;
type prelink_cache_t;
files_type(prelink_cache_t)
@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
-allow prelink_t prelink_log_t:dir setattr_dir_perms;
+allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
-files_getattr_all_files(prelink_t)
files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
files_manage_var_files(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
-files_search_var_lib(prelink_t)
-files_write_non_security_dirs(prelink_t)
-files_dontaudit_read_all_symlinks(prelink_t)
-fs_getattr_all_fs(prelink_t)
-fs_search_auto_mountpoints(prelink_t)
-
-selinux_get_enforce_mode(prelink_t)
+fs_getattr_xattr_fs(prelink_t)
storage_getattr_fixed_disk_dev(prelink_t)
+selinux_get_enforce_mode(prelink_t)
+
libs_exec_ld_so(prelink_t)
libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
-miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
-userdom_manage_user_home_content_files(prelink_t)
-# pending
-# userdom_relabel_user_home_content_files(prelink_t)
-# userdom_execmod_user_home_content_files(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
userdom_exec_user_home_content_files(prelink_t)
-ifdef(`hide_broken_symptoms',`
- miscfiles_read_man_pages(prelink_t)
+systemd_read_unit_files(prelink_t)
- optional_policy(`
- dbus_read_config(prelink_t)
- ')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files(prelink_t)
- fs_manage_nfs_files(prelink_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files(prelink_t)
- fs_manage_cifs_files(prelink_t)
-')
+term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
@@ -138,11 +120,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(prelink_t)
gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
')
optional_policy(`
- mozilla_manage_plugin_rw_files(prelink_t)
+ mozilla_plugin_manage_rw_files(prelink_t)
')
optional_policy(`
@@ -155,17 +138,18 @@ optional_policy(`
########################################
#
-# Cron system local policy
+# Prelink Cron system Policy
#
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
allow prelink_cron_system_t self:process { setsched setfscreate signal };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
+ files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
@@ -174,7 +158,7 @@ optional_policy(`
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms;
+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
kernel_read_system_state(prelink_cron_system_t)
@@ -184,23 +168,36 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
- files_rw_etc_dirs(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+ files_dontaudit_list_non_security(prelink_cron_system_t)
+
+ fs_search_cgroup_dirs(prelink_cron_system_t)
auth_use_nsswitch(prelink_cron_system_t)
init_telinit(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
+ init_reload_services(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
- miscfiles_read_localization(prelink_cron_system_t)
+ init_stream_connect(prelink_cron_system_t)
+
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
')
+
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ dbus_read_config(prelink_t)
+ ')
+')
diff --git a/prelude.if b/prelude.if
index c83a838..f41a4f7 100644
--- a/prelude.if
+++ b/prelude.if
@@ -1,13 +1,13 @@
-## Prelude hybrid intrusion detection system.
+## Prelude hybrid intrusion detection system
########################################
##
## Execute a domain transition to run prelude.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`prelude_domtrans',`
@@ -15,19 +15,17 @@ interface(`prelude_domtrans',`
type prelude_t, prelude_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, prelude_exec_t, prelude_t)
')
########################################
##
-## Execute a domain transition to
-## run prelude audisp.
+## Execute a domain transition to run prelude_audisp.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`prelude_domtrans_audisp',`
@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',`
type prelude_audisp_t, prelude_audisp_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
')
########################################
##
-## Send generic signals to prelude audisp.
+## Signal the prelude_audisp domain.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed acccess.
+##
##
#
interface(`prelude_signal_audisp',`
@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',`
########################################
##
-## Read prelude spool files.
+## Read the prelude spool files
##
##
##
@@ -78,13 +75,12 @@ interface(`prelude_read_spool',`
########################################
##
-## Create, read, write, and delete
-## prelude manager spool files.
+## Manage to prelude-manager spool files.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`prelude_manage_spool',`
@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',`
########################################
##
-## All of the rules required to
-## administrate an prelude environment.
+## All of the rules required to administrate
+## an prelude environment
##
##
##
@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
- type prelude_t, prelude_spool_t, prelude_lml_var_run_t;
- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
- type prelude_audisp_t, prelude_audisp_var_run_t;
- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
')
- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
+ allow $1 prelude_t:process signal_perms;
+ ps_process_pattern($1, prelude_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 prelude_t:process ptrace;
+ allow $1 prelude_audisp_t:process ptrace;
+ allow $1 prelude_lml_t:process ptrace;
+ ')
+
+ allow $1 prelude_audisp_t:process signal_perms;
+ ps_process_pattern($1, prelude_audisp_t)
+
+ allow $1 prelude_lml_t:process signal_perms;
+ ps_process_pattern($1, prelude_lml_t)
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, prelude_spool_t)
- logging_search_logs($1)
- admin_pattern($1, prelude_log_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
- files_search_pids($1)
- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t })
+ files_list_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
index 8f44609..509fd0a 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
type prelude_spool_t;
-files_type(prelude_spool_t)
+files_spool_file(prelude_spool_t)
type prelude_log_t;
logging_log_file(prelude_log_t)
@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
corecmd_search_bin(prelude_t)
-corenet_all_recvfrom_unlabeled(prelude_t)
corenet_all_recvfrom_netlabel(prelude_t)
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
@@ -97,7 +96,6 @@ dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
files_read_etc_runtime_files(prelude_t)
-files_read_usr_files(prelude_t)
files_search_spool(prelude_t)
files_search_tmp(prelude_t)
@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t)
logging_send_audit_msgs(prelude_t)
logging_send_syslog_msg(prelude_t)
-miscfiles_read_localization(prelude_t)
-
optional_policy(`
mysql_stream_connect(prelude_t)
mysql_tcp_connect(prelude_t)
@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
corecmd_search_bin(prelude_audisp_t)
-corenet_all_recvfrom_unlabeled(prelude_audisp_t)
corenet_all_recvfrom_netlabel(prelude_audisp_t)
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t)
domain_use_interactive_fds(prelude_audisp_t)
-files_read_etc_files(prelude_audisp_t)
files_read_etc_runtime_files(prelude_audisp_t)
files_search_spool(prelude_audisp_t)
files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
-miscfiles_read_localization(prelude_audisp_t)
-
sysnet_dns_name_resolve(prelude_audisp_t)
########################################
@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
corecmd_search_bin(prelude_correlator_t)
-corenet_all_recvfrom_unlabeled(prelude_correlator_t)
corenet_all_recvfrom_netlabel(prelude_correlator_t)
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
dev_read_rand(prelude_correlator_t)
dev_read_urand(prelude_correlator_t)
-files_read_etc_files(prelude_correlator_t)
-files_read_usr_files(prelude_correlator_t)
files_search_spool(prelude_correlator_t)
logging_send_syslog_msg(prelude_correlator_t)
-miscfiles_read_localization(prelude_correlator_t)
-
sysnet_dns_name_resolve(prelude_correlator_t)
########################################
@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t)
#
allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t)
logging_send_syslog_msg(prelude_lml_t)
logging_read_generic_logs(prelude_lml_t)
-miscfiles_read_localization(prelude_lml_t)
-
userdom_read_all_users_state(prelude_lml_t)
optional_policy(`
diff --git a/privoxy.if b/privoxy.if
index bdcee30..34f3143 100644
--- a/privoxy.if
+++ b/privoxy.if
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
type privoxy_etc_rw_t, privoxy_var_run_t;
')
- allow $1 privoxy_t:process { ptrace signal_perms };
+ allow $1 privoxy_t:process signal_perms;
ps_process_pattern($1, privoxy_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 privoxy_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
index ec21f80..a9f650a 100644
--- a/privoxy.te
+++ b/privoxy.te
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_tcp_sendrecv_tor_port(privoxy_t)
+
dev_read_sysfs(privoxy_t)
domain_use_interactive_fds(privoxy_t)
@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t)
logging_send_syslog_msg(privoxy_t)
-miscfiles_read_localization(privoxy_t)
-
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
diff --git a/procmail.fc b/procmail.fc
index bdff6c9..4b36a13 100644
--- a/procmail.fc
+++ b/procmail.fc
@@ -1,6 +1,7 @@
-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/procmail.if b/procmail.if
index 00edeab..166e9c3 100644
--- a/procmail.if
+++ b/procmail.if
@@ -1,4 +1,4 @@
-## Procmail mail delivery agent.
+## Procmail mail delivery agent
########################################
##
@@ -15,6 +15,7 @@ interface(`procmail_domtrans',`
type procmail_exec_t, procmail_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, procmail_exec_t, procmail_t)
')
@@ -34,101 +35,33 @@ interface(`procmail_exec',`
type procmail_exec_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, procmail_exec_t)
')
########################################
##
-## Create, read, write, and delete
-## procmail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`procmail_manage_home_files',`
- gen_require(`
- type procmail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file manage_file_perms;
-')
-
-########################################
-##
-## Read procmail user home content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`procmail_read_home_files',`
- gen_require(`
- type procmail_home_t;
-
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file read_file_perms;
-')
-
-########################################
-##
-## Relabel procmail home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`procmail_relabel_home_files',`
- gen_require(`
- type ppp_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 procmail_home_t:file relabel_file_perms;
-')
-
-########################################
-##
-## Create objects in user home
-## directories with the procmail home type.
+## Read procmail tmp files.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
-##
-##
#
-interface(`procmail_home_filetrans_procmail_home',`
+interface(`procmail_read_tmp_files',`
gen_require(`
- type procmail_home_t;
+ type procmail_tmp_t;
')
- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3)
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
')
########################################
##
-## Read procmail tmp files.
+## Read/write procmail tmp files.
##
##
##
@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',`
##
##
#
-interface(`procmail_read_tmp_files',`
+interface(`procmail_rw_tmp_files',`
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
- allow $1 procmail_tmp_t:file read_file_perms;
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
########################################
##
-## Read and write procmail tmp files.
+## Read procmail home directory content
##
##
##
@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',`
##
##
#
-interface(`procmail_rw_tmp_files',`
+interface(`procmail_read_home_files',`
gen_require(`
- type procmail_tmp_t;
+ type procmail_home_t;
')
- files_search_tmp($1)
- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
index cc426e6..3bbf1d7 100644
--- a/procmail.te
+++ b/procmail.te
@@ -14,7 +14,7 @@ type procmail_home_t;
userdom_user_home_content(procmail_home_t)
type procmail_log_t;
-logging_log_file(procmail_log_t)
+logging_log_file(procmail_log_t)
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t)
allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
-allow procmail_t self:tcp_socket { accept listen };
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
-allow procmail_t procmail_home_t:file read_file_perms;
+can_exec(procmail_t, procmail_exec_t)
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -40,83 +44,96 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
-can_exec(procmail_t, procmail_exec_t)
-
+kernel_read_network_state(procmail_t)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_all_recvfrom_unlabeled(procmail_t)
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
corenet_tcp_sendrecv_generic_node(procmail_t)
-
-corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
-corenet_tcp_sendrecv_spamd_port(procmail_t)
-
+corenet_sendrecv_spamd_client_packets(procmail_t)
corenet_sendrecv_comsat_client_packets(procmail_t)
-corenet_tcp_connect_comsat_port(procmail_t)
-corenet_tcp_sendrecv_comsat_port(procmail_t)
-
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
dev_read_urand(procmail_t)
-fs_getattr_all_fs(procmail_t)
+fs_getattr_xattr_fs(procmail_t)
fs_search_auto_mountpoints(procmail_t)
fs_rw_anon_inodefs_files(procmail_t)
auth_use_nsswitch(procmail_t)
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+
files_read_etc_runtime_files(procmail_t)
-files_read_usr_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
-logging_send_syslog_msg(procmail_t)
+application_exec_all(procmail_t)
-miscfiles_read_localization(procmail_t)
+init_read_utmp(procmail_t)
+
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(procmail_t)
- fs_manage_nfs_files(procmail_t)
- fs_manage_nfs_symlinks(procmail_t)
-')
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_filetrans_home_content(procmail_t)
+
+userdom_manage_user_tmp_dirs(procmail_t)
+userdom_manage_user_tmp_files(procmail_t)
+userdom_manage_user_tmp_symlinks(procmail_t)
+
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
')
+userdom_home_manager(procmail_t)
+
optional_policy(`
- clamav_domtrans_clamscan(procmail_t)
- clamav_search_lib(procmail_t)
+ antivirus_domtrans(procmail_t)
+ antivirus_search_db(procmail_t)
')
optional_policy(`
- cyrus_stream_connect(procmail_t)
+ dovecot_stream_connect(procmail_t)
')
optional_policy(`
- mta_manage_spool(procmail_t)
- mta_read_config(procmail_t)
- mta_read_queue(procmail_t)
- mta_manage_mail_home_rw_content(procmail_t)
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
+ cyrus_stream_connect(procmail_t)
')
optional_policy(`
- munin_dontaudit_search_lib(procmail_t)
+ gnome_manage_data(procmail_t)
')
optional_policy(`
- nagios_search_spool(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
')
optional_policy(`
+ # for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
@@ -126,11 +143,17 @@ optional_policy(`
')
optional_policy(`
+ nagios_search_spool(procmail_t)
+')
+
+optional_policy(`
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
optional_policy(`
+ mta_read_config(procmail_t)
+ mta_manage_home_rw(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
index 0000000..96a0d9f
--- /dev/null
+++ b/prosody.fc
@@ -0,0 +1,8 @@
+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
+
+/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0)
+
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
+
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
index 0000000..19c35c1
--- /dev/null
+++ b/prosody.if
@@ -0,0 +1,234 @@
+
+## policy for prosody
+
+########################################
+##
+## Execute TEMPLATE in the prosody domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prosody_domtrans',`
+ gen_require(`
+ type prosody_t, prosody_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prosody_exec_t, prosody_t)
+')
+
+########################################
+##
+## Search prosody lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_search_lib',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ allow $1 prosody_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read prosody lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_read_lib_files',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+##
+## Manage prosody lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_manage_lib_files',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+##
+## Manage prosody lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_manage_lib_dirs',`
+ gen_require(`
+ type prosody_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+##
+## Read prosody PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prosody_read_pid_files',`
+ gen_require(`
+ type prosody_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
+')
+
+########################################
+##
+## Execute prosody server in the prosody domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prosody_systemctl',`
+ gen_require(`
+ type prosody_t;
+ type prosody_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, prosody_t)
+')
+
+
+########################################
+##
+## Execute prosody in the prosody domain, and
+## allow the specified role the prosody domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the prosody domain.
+##
+##
+#
+interface(`prosody_run',`
+ gen_require(`
+ type prosody_t;
+ attribute_role prosody_roles;
+ ')
+
+ prosody_domtrans($1)
+ roleattribute $2 prosody_roles;
+')
+
+########################################
+##
+## Role access for prosody
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`prosody_role',`
+ gen_require(`
+ type prosody_t;
+ attribute_role prosody_roles;
+ ')
+
+ roleattribute $1 prosody_roles;
+
+ prosody_domtrans($2)
+
+ ps_process_pattern($2, prosody_t)
+ allow $2 prosody_t:process { signull signal sigkill };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an prosody environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`prosody_admin',`
+ gen_require(`
+ type prosody_t;
+ type prosody_var_lib_t;
+ type prosody_var_run_t;
+ type prosody_unit_file_t;
+ ')
+
+ allow $1 prosody_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prosody_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, prosody_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, prosody_var_run_t)
+
+ prosody_systemctl($1)
+ admin_pattern($1, prosody_unit_file_t)
+ allow $1 prosody_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
index 0000000..4f6badd
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,75 @@
+policy_module(prosody, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Permit to prosody to bind apache port.
+## Need to be activated to use BOSH.
+##
+##
+gen_tunable(prosody_bind_http_port, false)
+
+type prosody_t;
+type prosody_exec_t;
+init_daemon_domain(prosody_t, prosody_exec_t)
+
+type prosody_var_lib_t;
+files_type(prosody_var_lib_t)
+
+type prosody_var_run_t;
+files_pid_file(prosody_var_run_t)
+
+type prosody_unit_file_t;
+systemd_unit_file(prosody_unit_file_t)
+
+########################################
+#
+# prosody local policy
+#
+allow prosody_t self:capability { setuid setgid };
+allow prosody_t self:process signal_perms;
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
+
+can_exec(prosody_t, prosody_exec_t)
+
+kernel_read_system_state(prosody_t)
+
+corecmd_exec_bin(prosody_t)
+corecmd_exec_shell(prosody_t)
+
+corenet_udp_bind_generic_node(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
+tunable_policy(`prosody_bind_http_port',`
+ corenet_tcp_bind_http_port(prosody_t)
+')
+
+dev_read_urand(prosody_t)
+
+domain_use_interactive_fds(prosody_t)
+
+files_read_etc_files(prosody_t)
+
+auth_use_nsswitch(prosody_t)
+sysnet_read_config(prosody_t)
+
+logging_send_syslog_msg(prosody_t)
+
+miscfiles_read_localization(prosody_t)
diff --git a/psad.if b/psad.if
index d4dcf78..3cce82e 100644
--- a/psad.if
+++ b/psad.if
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
')
files_search_etc($1)
- allow $1 psad_etc_t:dir manage_dir_perms;
- allow $1 psad_etc_t:file manage_file_perms;
- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
')
########################################
@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',`
########################################
##
-## Read and write psad pid files.
+## Read and write psad PID files.
##
##
##
@@ -179,6 +178,45 @@ interface(`psad_append_log',`
########################################
##
+## Allow the specified domain to write to psad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`psad_write_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+#######################################
+##
+## Allow the specified domain to setattr to psad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_setattr_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+##
## Read and write psad fifo files.
##
##
@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
#######################################
##
+## Allow setattr to psad fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_setattr_fifo_file',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 psad_var_lib_t:fifo_file setattr;
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+##
+## Allow search to psad lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_search_lib_files',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+##
## Read and write psad temporary files.
##
##
@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
- type psad_initrc_exec_t, psad_var_lib_t;
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
type psad_tmp_t;
')
- allow $1 psad_t:process { ptrace signal_perms };
+ allow $1 psad_t:process signal_perms;
ps_process_pattern($1, psad_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 psad_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, psad_etc_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, psad_var_run_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, psad_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, psad_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
index b5d717b..0de086e 100644
--- a/psad.te
+++ b/psad.te
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
corecmd_exec_bin(psad_t)
corecmd_exec_shell(psad_t)
-corenet_all_recvfrom_unlabeled(psad_t)
corenet_all_recvfrom_netlabel(psad_t)
corenet_tcp_sendrecv_generic_if(psad_t)
corenet_tcp_sendrecv_generic_node(psad_t)
@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t)
dev_read_urand(psad_t)
files_read_etc_runtime_files(psad_t)
-files_read_usr_files(psad_t)
fs_getattr_all_fs(psad_t)
@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t)
logging_read_syslog_config(psad_t)
logging_send_syslog_msg(psad_t)
-miscfiles_read_localization(psad_t)
-
sysnet_exec_ifconfig(psad_t)
optional_policy(`
diff --git a/ptchown.te b/ptchown.te
index 28d2abc..c2cfb5e 100644
--- a/ptchown.te
+++ b/ptchown.te
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
allow ptchown_t self:capability { chown fowner fsetid setuid };
allow ptchown_t self:process { getcap setcap };
-files_read_etc_files(ptchown_t)
fs_rw_anon_inodefs_files(ptchown_t)
@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t)
term_use_generic_ptys(ptchown_t)
term_use_ptmx(ptchown_t)
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479..0e7d875 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,9 +1,14 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
index 45843b5..116be8a 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,43 +2,48 @@
########################################
##
-## Role access for pulseaudio.
+## Role access for pulseaudio
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
#
interface(`pulseaudio_role',`
gen_require(`
- attribute pulseaudio_tmpfsfile;
- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
- type pulseaudio_tmp_t;
+ attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
+ class dbus { acquire_svc send_msg };
')
- pulseaudio_run($2, $1)
+ role $1 types pulseaudio_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
- allow $2 pulseaudio_t:process { ptrace signal_perms };
ps_process_pattern($2, pulseaudio_t)
- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
- allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
@@ -65,9 +70,8 @@ interface(`pulseaudio_domtrans',`
########################################
##
-## Execute pulseaudio in the pulseaudio
-## domain, and allow the specified role
-## the pulseaudio domain.
+## Execute pulseaudio in the pulseaudio domain, and
+## allow the specified role the pulseaudio domain.
##
##
##
@@ -82,16 +86,16 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
- attribute_role pulseaudio_roles;
+ type pulseaudio_t;
')
pulseaudio_domtrans($1)
- roleattribute $2 pulseaudio_roles;
+ role $2 types pulseaudio_t;
')
########################################
##
-## Execute pulseaudio in the caller domain.
+## Execute a pulseaudio in the current domain.
##
##
##
@@ -104,13 +108,12 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, pulseaudio_exec_t)
')
########################################
##
-## Do not audit attempts to execute pulseaudio.
+## Do not audit to execute a pulseaudio.
##
##
##
@@ -128,7 +131,7 @@ interface(`pulseaudio_dontaudit_exec',`
########################################
##
-## Send null signals to pulseaudio.
+## Send signull signal to pulseaudio
## processes.
##
##
@@ -147,8 +150,8 @@ interface(`pulseaudio_signull',`
#####################################
##
-## Connect to pulseaudio with a unix
-## domain stream socket.
+## Connect to pulseaudio over a unix domain
+## stream socket.
##
##
##
@@ -158,11 +161,15 @@ interface(`pulseaudio_signull',`
#
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
+ type pulseaudio_t, pulseaudio_var_run_t;
+ type pulseaudio_home_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
')
########################################
@@ -188,9 +195,9 @@ interface(`pulseaudio_dbus_chat',`
########################################
##
-## Set attributes of pulseaudio home directories.
+## Set the attributes of the pulseaudio homedir.
##
-##
+##
##
## Domain allowed access.
##
@@ -201,148 +208,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
- allow $1 pulseaudio_home_t:dir setattr_dir_perms;
+ allow $1 pulseaudio_home_t:dir setattr;
')
########################################
##
-## Read pulseaudio home content.
+## Read pulseaudio homedir files.
##
-##
+##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_read_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
- pulseaudio_read_home($1)
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
-## Read pulseaudio home content.
+## Read and write Pulse Audio files.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_read_home',`
+interface(`pulseaudio_rw_home_files',`
gen_require(`
type pulseaudio_home_t;
')
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir list_dir_perms;
- allow $1 pulseaudio_home_t:file read_file_perms;
- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Read and write Pulse Audio files.
+## Create, read, write, and delete pulseaudio
+## home directories.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_rw_home_files',`
+interface(`pulseaudio_manage_home_dirs',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory files.
##
-##
+##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_manage_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
- pulseaudio_manage_home($1)
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ pulseaudio_filetrans_home_content($1)
')
########################################
##
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory symlinks.
##
-##
+##
##
## Domain allowed access.
##
##
#
-interface(`pulseaudio_manage_home',`
+interface(`pulseaudio_manage_home_symlinks',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir manage_dir_perms;
- allow $1 pulseaudio_home_t:file manage_file_perms;
- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
-## Create objects in user home
-## directories with the pulseaudio
-## home type.
+## Create pulseaudio content in the user home directory
+## with an correct label.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
+#
+interface(`pulseaudio_filetrans_home_content',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+ optional_policy(`
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
+ ')
+')
+
+########################################
+##
+## Create pulseaudio content in the admin home directory
+## with an correct label.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
#
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+interface(`pulseaudio_filetrans_admin_home_content',`
gen_require(`
type pulseaudio_home_t;
')
- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
-########################################
+#######################################
##
-## Make the specified tmpfs file type
-## pulseaudio tmpfs content.
+## Make the specified tmpfs file type
+## pulseaudio tmpfs content.
##
##
+##
+## File type to make pulseaudio tmpfs content.
+##
+##
+#
+interface(`pulseaudio_tmpfs_content',`
+ gen_require(`
+ attribute pulseaudio_tmpfsfile;
+ ')
+
+ typeattribute $1 pulseaudio_tmpfsfile;
+')
+
+########################################
+##
+## Allow the domain to read pulseaudio state files in /proc.
+##
+##
##
-## File type to make pulseaudio tmpfs content.
+## Domain allowed access.
##
##
#
-interface(`pulseaudio_tmpfs_content',`
+interface(`pulseaudio_read_state',`
gen_require(`
- attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t;
')
- typeattribute $1 pulseaudio_tmpfsfile;
+ kernel_search_proc($1)
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
index 6643b49..1d2470f 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
-attribute_role pulseaudio_roles;
-
type pulseaudio_t;
type pulseaudio_exec_t;
# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
+role system_r types pulseaudio_t;
type pulseaudio_home_t;
userdom_user_home_content(pulseaudio_home_t)
-type pulseaudio_tmp_t;
-userdom_user_tmp_file(pulseaudio_tmp_t)
-
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
type pulseaudio_var_lib_t;
files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
type pulseaudio_var_run_t;
files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
########################################
#
-# Local policy
+# pulseaudio local policy
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
-allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
-allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
-allow pulseaudio_t self:unix_dgram_socket sendto;
-allow pulseaudio_t self:tcp_socket { accept listen };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
-
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
-
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+pulseaudio_filetrans_home_content(pulseaudio_t)
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
-
-allow pulseaudio_t pulseaudio_client:process signull;
-ps_process_pattern(pulseaudio_t, pulseaudio_client)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -85,62 +70,56 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
-corenet_all_recvfrom_unlabeled(pulseaudio_t)
corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_udp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_sendrecv_generic_node(pulseaudio_t)
-
-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
-
-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
-corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
-
-corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
-corenet_udp_sendrecv_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
dev_read_sysfs(pulseaudio_t)
dev_read_urand(pulseaudio_t)
-files_read_usr_files(pulseaudio_t)
+fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
-fs_getattr_all_fs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-fs_rw_anon_inodefs_files(pulseaudio_t)
-fs_search_auto_mountpoints(pulseaudio_t)
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
+term_use_all_inherited_ttys(pulseaudio_t)
+term_use_all_inherited_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
-
userdom_read_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs(pulseaudio_t)
+ fs_mounton_nfs(pulseaudio_t)
fs_manage_nfs_dirs(pulseaudio_t)
fs_manage_nfs_files(pulseaudio_t)
fs_manage_nfs_symlinks(pulseaudio_t)
+ fs_manage_nfs_named_sockets(pulseaudio_t)
+ fs_manage_nfs_named_pipes(pulseaudio_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs(pulseaudio_t)
+ fs_mounton_cifs(pulseaudio_t)
fs_manage_cifs_dirs(pulseaudio_t)
fs_manage_cifs_files(pulseaudio_t)
fs_manage_cifs_symlinks(pulseaudio_t)
+ fs_manage_cifs_named_sockets(pulseaudio_t)
+ fs_manage_cifs_named_pipes(pulseaudio_t)
')
optional_policy(`
@@ -153,8 +132,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
- dbus_all_session_bus_client(pulseaudio_t)
- dbus_connect_all_session_bus(pulseaudio_t)
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
+ dbus_connect_session_bus(pulseaudio_t)
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
@@ -174,16 +154,33 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_gkeyringd_state(pulseaudio_t)
+ gnome_signull_gkeyringd(pulseaudio_t)
+ gnome_manage_gstreamer_home_files(pulseaudio_t)
+ gnome_exec_gstreamer_home_files(pulseaudio_t)
+')
+
+optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
optional_policy(`
+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
+optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
')
optional_policy(`
+ systemd_read_logind_sessions_files(pulseaudio_t)
+ systemd_login_read_pid_files(pulseaudio_t)
+')
+
+optional_policy(`
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
@@ -196,7 +193,11 @@ optional_policy(`
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
-########################################
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
+
+#######################################
#
# Client local policy
#
@@ -210,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
-corenet_all_recvfrom_unlabeled(pulseaudio_client)
-corenet_all_recvfrom_netlabel(pulseaudio_client)
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
@@ -220,38 +219,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
-pulseaudio_manage_home(pulseaudio_client)
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
+pulseaudio_manage_home_files(pulseaudio_client)
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
userdom_manage_user_home_content_files(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
-# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(pulseaudio_client)
- fs_manage_nfs_dirs(pulseaudio_client)
- fs_manage_nfs_files(pulseaudio_client)
- fs_read_nfs_symlinks(pulseaudio_client)
+ fs_getattr_nfs(pulseaudio_client)
+ fs_manage_nfs_dirs(pulseaudio_client)
+ fs_manage_nfs_files(pulseaudio_client)
+ fs_read_nfs_symlinks(pulseaudio_client)
')
tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(pulseaudio_client)
- fs_manage_cifs_dirs(pulseaudio_client)
- fs_manage_cifs_files(pulseaudio_client)
- fs_read_cifs_symlinks(pulseaudio_client)
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
+ fs_read_cifs_symlinks(pulseaudio_client)
')
optional_policy(`
- pulseaudio_dbus_chat(pulseaudio_client)
+ pulseaudio_dbus_chat(pulseaudio_client)
')
optional_policy(`
- rtkit_scheduled(pulseaudio_client)
+ rtkit_scheduled(pulseaudio_client)
')
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
index d68e26d..8d566fb 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -1,7 +1,7 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
@@ -11,8 +11,6 @@
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
-
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
-
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
index 7cb8b1f..9422c90 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,32 @@
-## Configuration management system.
+## Puppet client daemon
+##
+##
+## Puppet is a configuration management system written in Ruby.
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+##
+##
+
+########################################
+##
+## Execute puppet_master in the puppet_master
+## domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`puppet_domtrans_master',`
+ gen_require(`
+ type puppetmaster_t, puppetmaster_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
########################################
##
@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
#
interface(`puppet_run_puppetca',`
gen_require(`
- attribute_role puppetca_roles;
+ type puppetca_t, puppetca_exec_t;
')
puppet_domtrans_puppetca($1)
- roleattribute $2 puppetca_roles;
+ role $2 types puppetca_t;
')
-####################################
+################################################
##
-## Read puppet configuration content.
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
##
##
##
@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
##
##
#
-interface(`puppet_read_config',`
+interface(`puppet_rw_tmp', `
gen_require(`
- type puppet_etc_t;
+ type puppet_tmp_t;
')
- files_search_etc($1)
- allow $1 puppet_etc_t:dir list_dir_perms;
- allow $1 puppet_etc_t:file read_file_perms;
- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
################################################
@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
##
##
#
-interface(`puppet_read_lib_files',`
+interface(`puppet_read_lib',`
gen_require(`
type puppet_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
')
###############################################
##
-## Create, read, write, and delete
-## puppet lib files.
+## Manage Puppet lib files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_manage_lib_files',`
- gen_require(`
- type puppet_var_lib_t;
- ')
+interface(`puppet_manage_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
- files_search_var_lib($1)
- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
')
-#####################################
+######################################
##
-## Append puppet log files.
+## Allow the specified domain to search puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_append_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_search_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- append_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ allow $1 puppet_log_t:dir search_dir_perms;
')
#####################################
##
-## Create puppet log files.
+## Allow the specified domain to read puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_create_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_read_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- create_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ read_files_pattern($1, puppet_log_t, puppet_log_t)
')
#####################################
##
-## Read puppet log files.
+## Allow the specified domain to create puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_read_log_files',`
- gen_require(`
- type puppet_log_t;
- ')
+interface(`puppet_create_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
- read_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ create_files_pattern($1, puppet_log_t, puppet_log_t)
')
-################################################
+####################################
##
-## Read and write to puppet tempoprary files.
+## Allow the specified domain to append puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`puppet_rw_tmp', `
- gen_require(`
- type puppet_tmp_t;
- ')
+interface(`puppet_append_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- files_search_tmp($1)
- allow $1 puppet_tmp_t:file rw_file_perms;
+ logging_search_logs($1)
+ append_files_pattern($1, puppet_log_t, puppet_log_t)
')
-########################################
+####################################
##
-## All of the rules required to
-## administrate an puppet environment.
+## Allow the specified domain to manage puppet's log files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`puppet_admin',`
- gen_require(`
- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t;
- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t;
- type puppet_var_run_t, puppetmaster_tmp_t;
- type puppet_t, puppetca_t, puppetmaster_t;
- ')
-
- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
+ manage_files_pattern($1, puppet_log_t, puppet_log_t)
+')
- logging_search_logs($1)
- admin_pattern($1, puppet_log_t)
+####################################
+##
+## Allow the specified domain to read puppet's config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`puppet_read_config',`
+ gen_require(`
+ type puppet_etc_t;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, puppet_var_lib_t)
+ files_search_etc($1)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
+#####################################
+##
+## Allow the specified domain to search puppet's pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`puppet_search_pid',`
+ gen_require(`
+ type puppet_var_run_t;
+ ')
+
files_search_pids($1)
- admin_pattern($1, puppet_var_run_t)
-
- files_search_tmp($1)
- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t })
-
- puppet_run_puppetca($1, $2)
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
index 618dcfe..f81c59f 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,15 +6,19 @@ policy_module(puppet, 1.4.0)
#
##
-##
-## Determine whether puppet can
-## manage all non-security files.
-##
+##
+## Allow Puppet client to manage all file
+## types.
+##
##
gen_tunable(puppet_manage_all_files, false)
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
+##
+##
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
+##
+##
+gen_tunable(puppetmaster_use_db, false)
type puppet_t;
type puppet_exec_t;
@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
-init_daemon_run_dir(puppet_var_run_t, "puppet")
type puppetca_t;
type puppetca_exec_t;
application_domain(puppetca_t, puppetca_exec_t)
-role puppetca_roles types puppetca_t;
+role system_r types puppetca_t;
type puppetmaster_t;
type puppetmaster_exec_t;
@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
-# Local policy
+# Puppet personal policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
+allow puppet_t self:tcp_socket create_stream_socket_perms;
allow puppet_t self:udp_socket create_socket_perms;
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
kernel_dontaudit_search_sysctl(puppet_t)
kernel_dontaudit_search_kernel_sysctl(puppet_t)
+kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
+corecmd_read_all_executables(puppet_t)
+corecmd_dontaudit_access_all_executables(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
+corenet_tcp_bind_generic_node(puppet_t)
corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
dev_read_rand(puppet_t)
dev_read_sysfs(puppet_t)
dev_read_urand(puppet_t)
-domain_interactive_fd(puppet_t)
domain_read_all_domains_state(puppet_t)
+domain_interactive_fd(puppet_t)
files_manage_config_files(puppet_t)
files_manage_config_dirs(puppet_t)
files_manage_etc_dirs(puppet_t)
files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
selinux_validate_context(puppet_t)
@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t)
term_dontaudit_getattr_unallocated_ttys(puppet_t)
term_dontaudit_getattr_all_ttys(puppet_t)
+auth_use_nsswitch(puppet_t)
+
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
@@ -143,18 +138,19 @@ init_signull_script(puppet_t)
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
+seutil_read_file_contexts(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
+
+usermanage_access_check_groupadd(puppet_t)
+usermanage_access_check_passwd(puppet_t)
+usermanage_access_check_useradd(puppet_t)
tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
+ files_manage_non_security_files(puppet_t)
')
optional_policy(`
@@ -196,21 +192,86 @@ optional_policy(`
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
+ auth_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ alsa_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ bootloader_filetrans_config(puppet_t)
+')
+
+optional_policy(`
+ devicekit_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ dnsmasq_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ kerberos_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ libs_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ miscfiles_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ mta_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ modules_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ networkmanager_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ nx_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ postfix_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ openshift_initrc_domtrans(puppet_t)
+')
+
+optional_policy(`
+ quota_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ sysnet_filetrans_named_content(puppet_t)
+')
+
+optional_policy(`
+ virt_filetrans_home_content(puppet_t)
+')
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(puppet_t)
')
########################################
#
-# Ca local policy
+# PuppetCA personal policy
#
allow puppetca_t self:capability { dac_override setgid setuid };
allow puppetca_t self:fifo_file rw_fifo_file_perms;
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
+# Maybe dontaudit this like we did with other puppet domains?
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
-files_read_etc_files(puppetca_t)
-files_search_pids(puppetca_t)
files_search_var_lib(puppetca_t)
selinux_validate_context(puppetca_t)
logging_search_logs(puppetca_t)
-miscfiles_read_localization(puppetca_t)
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
@@ -246,38 +305,47 @@ optional_policy(`
hostname_exec(puppetca_t)
')
+optional_policy(`
+ mta_sendmail_access_check(puppetca_t)
+')
+
+
########################################
#
-# Master local policy
+# Pupper master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
-allow puppetmaster_t self:tcp_socket { accept listen };
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+corenet_tcp_connect_ntop_port(puppetmaster_t)
+
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
+corenet_udp_bind_generic_node(puppetmaster_t)
+corenet_udp_bind_generic_port(puppetmaster_t)
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
dev_search_sysfs(puppetmaster_t)
-domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
-files_read_usr_files(puppetmaster_t)
selinux_validate_context(puppetmaster_t)
@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
seutil_read_file_contexts(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
+mta_send_mail(puppetmaster_t)
+
optional_policy(`
- hostname_exec(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ mysql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
- mta_send_mail(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ postgresql_stream_connect(puppetmaster_t)
+ ')
')
optional_policy(`
- mysql_stream_connect(puppetmaster_t)
+ systemd_dbus_chat_timedated(puppetmaster_t)
')
optional_policy(`
- postgresql_stream_connect(puppetmaster_t)
+ hostname_exec(puppetmaster_t)
')
optional_policy(`
@@ -342,3 +416,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
+
+optional_policy(`
+ usermanage_access_check_groupadd(puppetmaster_t)
+ usermanage_access_check_passwd(puppetmaster_t)
+ usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/pwauth.fc b/pwauth.fc
index 7e7b444..e2f8687 100644
--- a/pwauth.fc
+++ b/pwauth.fc
@@ -1,3 +1,3 @@
-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
diff --git a/pwauth.if b/pwauth.if
index 1148dce..86d25ea 100644
--- a/pwauth.if
+++ b/pwauth.if
@@ -1,72 +1,74 @@
-## External plugin for mod_authnz_external authenticator.
+
+## policy for pwauth
########################################
##
-## Role access for pwauth.
+## Transition to pwauth.
##
-##
-##
-## Role allowed access.
-##
-##
##
-##
-## User domain for the role.
-##
+##
+## Domain allowed to transition.
+##
##
#
-interface(`pwauth_role',`
+interface(`pwauth_domtrans',`
gen_require(`
- type pwauth_t;
+ type pwauth_t, pwauth_exec_t;
')
- pwauth_run($2, $1)
-
- ps_process_pattern($2, pwauth_t)
- allow $2 pwauth_t:process { ptrace signal_perms };
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
')
########################################
##
-## Execute pwauth in the pwauth domain.
+## Execute pwauth in the pwauth domain, and
+## allow the specified role the pwauth domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the pwauth domain.
##
##
#
-interface(`pwauth_domtrans',`
+interface(`pwauth_run',`
gen_require(`
- type pwauth_t, pwauth_exec_t;
+ type pwauth_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, pwauth_exec_t, pwauth_t)
+ pwauth_domtrans($1)
+ role $2 types pwauth_t;
')
########################################
##
-## Execute pwauth in the pwauth
-## domain, and allow the specified
-## role the pwauth domain.
+## Role access for pwauth
##
-##
+##
##
-## Domain allowed to transition.
+## Role allowed access
##
##
-##
+##
##
-## Role allowed access.
+## User domain for the role
##
##
#
-interface(`pwauth_run',`
+interface(`pwauth_role',`
gen_require(`
- attribute_role pwauth_roles;
+ type pwauth_t;
')
- pwauth_domtrans($1)
- roleattribute $2 pwauth_roles;
+ role $1 types pwauth_t;
+
+ pwauth_domtrans($2)
+
+ ps_process_pattern($2, pwauth_t)
+ allow $2 pwauth_t:process signal;
')
diff --git a/pwauth.te b/pwauth.te
index 3078e34..215df88 100644
--- a/pwauth.te
+++ b/pwauth.te
@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
# Declarations
#
-attribute_role pwauth_roles;
-roleattribute system_r pwauth_roles;
-
type pwauth_t;
type pwauth_exec_t;
application_domain(pwauth_t, pwauth_exec_t)
-role pwauth_roles types pwauth_t;
+role system_r types pwauth_t;
type pwauth_var_run_t;
files_pid_file(pwauth_var_run_t)
########################################
#
-# Local policy
+# pwauth local policy
#
-
allow pwauth_t self:capability setuid;
allow pwauth_t self:process setrlimit;
+
allow pwauth_t self:fifo_file manage_fifo_file_perms;
-allow pwauth_t self:unix_stream_socket { accept listen };
+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
auth_domtrans_chkpwd(pwauth_t)
auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t)
+auth_rw_lastlog(pwauth_t)
init_read_utmp(pwauth_t)
logging_send_syslog_msg(pwauth_t)
logging_send_audit_msgs(pwauth_t)
-
-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
index 06bec9b..1b32632 100644
--- a/pxe.te
+++ b/pxe.te
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
domain_use_interactive_fds(pxe_t)
-files_read_etc_files(pxe_t)
fs_getattr_all_fs(pxe_t)
fs_search_auto_mountpoints(pxe_t)
logging_send_syslog_msg(pxe_t)
-miscfiles_read_localization(pxe_t)
-
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
userdom_dontaudit_search_user_home_dirs(pxe_t)
diff --git a/pyicqt.fc b/pyicqt.fc
deleted file mode 100644
index 0c143e3..0000000
--- a/pyicqt.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
-
-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
-
-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-
-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0)
-
-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
-
-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/pyicqt.if b/pyicqt.if
deleted file mode 100644
index 0ccea82..0000000
--- a/pyicqt.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## ICQ transport for XMPP server.
-
-########################################
-##
-## All of the rules required to
-## administrate an pyicqt environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`pyicqt_admin',`
- gen_require(`
- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
- ')
-
- allow $1 pyicqt_t:process { ptrace signal_perms };
- ps_process_pattern($1, pyicqt_t)
-
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, pyicqt_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, pyicqt_log_t)
-
- files_search_spool($1)
- admin_pattern($1, pyicqt_spool_t)
-
- files_search_pids($1)
- admin_pattern($1, pyicqt_var_run_t)
-')
diff --git a/pyicqt.te b/pyicqt.te
deleted file mode 100644
index f2863de..0000000
--- a/pyicqt.te
+++ /dev/null
@@ -1,92 +0,0 @@
-policy_module(pyicqt, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type pyicqt_t;
-type pyicqt_exec_t;
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
-
-type pyicqt_initrc_exec_t;
-init_script_file(pyicqt_initrc_exec_t)
-
-type pyicqt_conf_t;
-files_config_file(pyicqt_conf_t)
-
-type pyicqt_log_t;
-logging_log_file(pyicqt_log_t)
-
-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-
-type pyicqt_var_run_t;
-files_pid_file(pyicqt_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pyicqt_t self:process signal_perms;
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
-allow pyicqt_t self:tcp_socket { accept listen };
-
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
-
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
-
-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
-
-kernel_read_system_state(pyicqt_t)
-
-corecmd_exec_bin(pyicqt_t)
-
-corenet_all_recvfrom_unlabeled(pyicqt_t)
-corenet_all_recvfrom_netlabel(pyicqt_t)
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
-corenet_tcp_bind_generic_node(pyicqt_t)
-
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t)
-
-dev_read_sysfs(pyicqt_t)
-dev_read_urand(pyicqt_t)
-
-files_read_usr_files(pyicqt_t)
-
-fs_getattr_all_fs(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t)
-
-libs_read_lib_files(pyicqt_t)
-
-logging_send_syslog_msg(pyicqt_t)
-
-miscfiles_read_localization(pyicqt_t)
-
-optional_policy(`
- jabber_manage_lib_files(pyicqt_t)
-')
-
-optional_policy(`
- mysql_stream_connect(pyicqt_t)
- mysql_tcp_connect(pyicqt_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pyicqt_t)
-')
diff --git a/pyzor.fc b/pyzor.fc
index af13139..a927c5a 100644
--- a/pyzor.fc
+++ b/pyzor.fc
@@ -1,12 +1,13 @@
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-
-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/pyzor.if b/pyzor.if
index 593c03d..2c411af 100644
--- a/pyzor.if
+++ b/pyzor.if
@@ -2,7 +2,7 @@
########################################
##
-## Role access for pyzor.
+## Role access for pyzor
##
##
##
@@ -14,31 +14,30 @@
## User domain for the role
##
##
+##
#
interface(`pyzor_role',`
gen_require(`
- attribute_role pyzor_roles;
- type pyzor_t, pyzor_exec_t, pyzor_home_t;
- type pyzor_tmp_t;
+ type pyzor_t, pyzor_exec_t;
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
')
- roleattribute $1 pyzor_roles;
+ role $1 types pyzor_t;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, pyzor_exec_t, pyzor_t)
- allow $2 pyzor_t:process { ptrace signal_perms };
+ # allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
-
- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
+ allow $2 pyzor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 pyzor_t:process ptrace;
+ ')
')
########################################
##
-## Send generic signals to pyzor.
+## Send generic signals to pyzor
##
##
##
@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',`
type pyzor_exec_t, pyzor_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, pyzor_exec_t, pyzor_t)
')
@@ -88,14 +88,15 @@ interface(`pyzor_exec',`
type pyzor_exec_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
########################################
##
-## All of the rules required to
-## administrate an pyzor environment.
+## All of the rules required to administrate
+## an pyzor environment
##
##
##
@@ -104,33 +105,37 @@ interface(`pyzor_exec',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the pyzor domain.
##
##
##
#
interface(`pyzor_admin',`
gen_require(`
- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
- type pyzor_var_lib_t, pyzor_etc_t;
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
')
- allow $1 pyzord_t:process { ptrace signal_perms };
+ allow $1 pyzord_t:process signal_perms;
ps_process_pattern($1, pyzord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pyzord_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pyzord_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
- admin_pattern($1, pyzor_etc_t)
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, pyzord_log_t)
- files_search_var_lib($1)
- admin_pattern($1, pyzor_var_lib_t)
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
- pyzor_role($2, $1)
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
')
diff --git a/pyzor.te b/pyzor.te
index 2439d13..d7bd6e9 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0)
# Declarations
#
-attribute_role pyzor_roles;
-roleattribute system_r pyzor_roles;
-
-type pyzor_t;
-type pyzor_exec_t;
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
-role pyzor_roles types pyzor_t;
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
-
-type pyzor_home_t;
-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
-userdom_user_home_content(pyzor_home_t)
-
-type pyzor_tmp_t;
-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-userdom_user_tmp_file(pyzor_tmp_t)
-
-type pyzor_var_lib_t;
-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
-files_type(pyzor_var_lib_t)
-ubac_constrained(pyzor_var_lib_t)
-
-type pyzord_t;
-type pyzord_exec_t;
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
-type pyzord_initrc_exec_t;
-init_script_file(pyzord_initrc_exec_t)
-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_t;
+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_tmp_t, spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+',`
+ type pyzor_t;
+ type pyzor_exec_t;
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+ application_domain(pyzor_t, pyzor_exec_t)
+ ubac_constrained(pyzor_t)
+ role system_r types pyzor_t;
+
+ type pyzor_etc_t;
+ files_config_file(pyzor_etc_t)
+
+ type pyzor_home_t;
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+ userdom_user_home_content(pyzor_home_t)
+
+ type pyzor_tmp_t;
+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+ files_tmp_file(pyzor_tmp_t)
+ ubac_constrained(pyzor_tmp_t)
+
+ type pyzor_var_lib_t;
+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+ files_type(pyzor_var_lib_t)
+ ubac_constrained(pyzor_var_lib_t)
+
+ type pyzord_t;
+ type pyzord_exec_t;
+ init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+ type pyzord_log_t;
+ logging_log_file(pyzord_log_t)
+')
########################################
#
-# Local policy
+# Pyzor client local policy
#
+allow pyzor_t self:udp_socket create_socket_perms;
+
manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor")
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t)
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
-corenet_all_recvfrom_unlabeled(pyzor_t)
-corenet_all_recvfrom_netlabel(pyzor_t)
corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
corenet_tcp_sendrecv_generic_node(pyzor_t)
-
-corenet_sendrecv_http_client_packets(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
corenet_tcp_connect_http_port(pyzor_t)
-corenet_tcp_sendrecv_http_port(pyzor_t)
dev_read_urand(pyzor_t)
-fs_getattr_all_fs(pyzor_t)
-fs_search_auto_mountpoints(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
auth_use_nsswitch(pyzor_t)
-miscfiles_read_localization(pyzor_t)
mta_read_queue(pyzor_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(pyzor_t)
- fs_manage_nfs_files(pyzor_t)
- fs_manage_nfs_symlinks(pyzor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(pyzor_t)
- fs_manage_cifs_files(pyzor_t)
- fs_manage_cifs_symlinks(pyzor_t)
-')
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
- amavis_manage_lib_files(pyzor_t)
- amavis_manage_spool_files(pyzor_t)
+ antivirus_manage_db(pyzor_t)
')
optional_policy(`
@@ -111,25 +119,24 @@ optional_policy(`
########################################
#
-# Daemon local policy
+# Pyzor server local policy
#
-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms;
+allow pyzord_t self:udp_socket create_socket_perms;
+
manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
allow pyzord_t pyzor_etc_t:dir list_dir_perms;
-allow pyzord_t pyzor_etc_t:file read_file_perms;
-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms;
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
-can_exec(pyzord_t, pyzor_exec_t)
-
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
-corenet_all_recvfrom_unlabeled(pyzord_t)
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_generic_if(pyzord_t)
corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
corenet_udp_bind_generic_node(pyzord_t)
-
-corenet_sendrecv_pyzor_server_packets(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
-corenet_udp_sendrecv_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
-auth_use_nsswitch(pyzord_t)
-logging_send_syslog_msg(pyzord_t)
+auth_use_nsswitch(pyzord_t)
locallogin_dontaudit_use_fds(pyzord_t)
-miscfiles_read_localization(pyzord_t)
+# Do not audit attempts to access /root.
userdom_dontaudit_search_user_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
+
+optional_policy(`
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
index 86ea53c..a2dcf7b 100644
--- a/qemu.fc
+++ b/qemu.fc
@@ -1,4 +1,4 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
index eaf56b8..580f9ee 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
-## QEMU machine emulator and virtualizer.
+## QEMU machine emulator and virtualizer
-#######################################
+########################################
##
-## The template to define a qemu domain.
+## Creates types and rules for a basic
+## qemu process domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
template(`qemu_domain_template',`
+
##############################
#
- # Declarations
+ # Local Policy
#
type $1_t;
@@ -24,7 +26,7 @@ template(`qemu_domain_template',`
##############################
#
- # Policy
+ # Local Policy
#
allow $1_t self:capability { dac_read_search dac_override };
@@ -41,7 +43,6 @@ template(`qemu_domain_template',`
kernel_read_system_state($1_t)
- corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
@@ -70,11 +71,10 @@ template(`qemu_domain_template',`
term_getattr_pty_fs($1_t)
term_use_generic_ptys($1_t)
- miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
@@ -98,38 +98,12 @@ template(`qemu_domain_template',`
########################################
##
-## Role access for qemu.
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-##
-## User domain for the role.
-##
-##
-#
-template(`qemu_role',`
- gen_require(`
- type qemu_t;
- ')
-
- qemu_run($2, $1)
-
- allow $2 qemu_t:process { ptrace signal_perms };
- ps_process_pattern($2, qemu_t)
-')
-
-########################################
-##
## Execute a domain transition to run qemu.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`qemu_domtrans',`
@@ -137,18 +111,17 @@ interface(`qemu_domtrans',`
type qemu_t, qemu_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, qemu_exec_t, qemu_t)
')
########################################
##
-## Execute a qemu in the caller domain.
+## Execute a qemu in the callers domain
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`qemu_exec',`
@@ -156,15 +129,12 @@ interface(`qemu_exec',`
type qemu_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, qemu_exec_t)
')
########################################
##
-## Execute qemu in the qemu domain,
-## and allow the specified role the
-## qemu domain.
+## Execute qemu in the qemu domain.
##
##
##
@@ -173,23 +143,25 @@ interface(`qemu_exec',`
##
##
##
-## Role allowed access.
+## The role to allow the qemu domain.
##
##
##
#
interface(`qemu_run',`
gen_require(`
- attribute_role qemu_roles;
+ type qemu_t;
')
qemu_domtrans($1)
- roleattribute $2 qemu_roles;
+ role $2 types qemu_t;
+ allow qemu_t $1:process signull;
+ allow $1 qemu_t:process signull;
')
########################################
##
-## Read qemu process state files.
+## Allow the domain to read state files in /proc.
##
##
##
@@ -202,15 +174,12 @@ interface(`qemu_read_state',`
type qemu_t;
')
- kernel_search_proc($1)
- allow $1 qemu_t:dir list_dir_perms;
- allow $1 qemu_t:file read_file_perms;
- allow $1 qemu_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, qemu_t, qemu_t)
')
########################################
##
-## Set qemu scheduler.
+## Set the schedule on qemu.
##
##
##
@@ -228,7 +197,7 @@ interface(`qemu_setsched',`
########################################
##
-## Send generic signals to qemu.
+## Send a signal to qemu.
##
##
##
@@ -246,7 +215,7 @@ interface(`qemu_signal',`
########################################
##
-## Send kill signals to qemu.
+## Send a sigill to qemu
##
##
##
@@ -264,48 +233,68 @@ interface(`qemu_kill',`
########################################
##
-## Execute a domain transition to
-## run qemu unconfined.
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
##
+##
+##
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+##
+##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
##
##
#
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_spec_domtrans',`
gen_require(`
- type unconfined_qemu_t, qemu_exec_t;
+ type qemu_exec_t;
')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+ domain_entry_file($2,qemu_exec_t)
+ can_exec($1,qemu_exec_t)
+
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
')
########################################
##
-## Create, read, write, and delete
-## qemu temporary directories.
+## Execute qemu unconfined programs in the role.
##
-##
+##
##
-## Domain allowed access.
+## The role to allow the qemu unconfined domain.
##
##
#
-interface(`qemu_manage_tmp_dirs',`
+interface(`qemu_unconfined_role',`
gen_require(`
- type qemu_tmp_t;
+ type unconfined_qemu_t;
+ type qemu_t;
')
-
- files_search_tmp($1)
- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
')
########################################
##
-## Create, read, write, and delete
-## qemu temporary files.
+## Manage qemu temporary dirs.
##
##
##
@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',`
##
##
#
-interface(`qemu_manage_tmp_files',`
+interface(`qemu_manage_tmp_dirs',`
gen_require(`
type qemu_tmp_t;
')
- files_search_tmp($1)
- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
##
-## Execute qemu in a specified domain.
+## Manage qemu temporary files.
##
-##
-##
-## Execute qemu in a specified domain.
-##
-##
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-##
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
+##
##
-## Domain to transition to.
+## Domain allowed access.
##
##
#
-interface(`qemu_spec_domtrans',`
+interface(`qemu_manage_tmp_files',`
gen_require(`
- type qemu_exec_t;
+ type qemu_tmp_t;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, qemu_exec_t, $2)
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
-######################################
+########################################
##
-## Make qemu executable files an
-## entrypoint for the specified domain.
+## Make qemu_exec_t an entrypoint for
+## the specified domain.
##
##
-##
-## The domain for which qemu_exec_t is an entrypoint.
-##
+##
+## The domain for which qemu_exec_t is an entrypoint.
+##
##
#
interface(`qemu_entry_type',`
diff --git a/qemu.te b/qemu.te
index 4f90743..8c1e989 100644
--- a/qemu.te
+++ b/qemu.te
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
#
##
-##
-## Determine whether qemu has full
-## access to the network.
-##
+##
+## Allow qemu to connect fully to the network
+##
##
gen_tunable(qemu_full_network, false)
-attribute_role qemu_roles;
-roleattribute system_r qemu_roles;
+##
+##
+## Allow qemu to use cifs/Samba file systems
+##
+##
+gen_tunable(qemu_use_cifs, true)
+
+##
+##
+## Allow qemu to use serial/parallel communication ports
+##
+##
+gen_tunable(qemu_use_comm, false)
-type qemu_exec_t;
-application_executable_file(qemu_exec_t)
+##
+##
+## Allow qemu to use nfs file systems
+##
+##
+gen_tunable(qemu_use_nfs, true)
+
+##
+##
+## Allow qemu to use usb devices
+##
+##
+gen_tunable(qemu_use_usb, true)
virt_domain_template(qemu)
-role qemu_roles types qemu_t;
+role system_r types qemu_t;
########################################
#
-# Local policy
+# qemu local policy
#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+userdom_stream_connect(qemu_t)
+
tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',`
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
optional_policy(`
- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
+ dbus_read_lib_files(qemu_t)
')
-########################################
-#
-# Unconfined local policy
-#
+optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+ tunable_policy(`qemu_use_cifs',`
+ samba_domtrans_smbd(qemu_t)
+ ')
+')
optional_policy(`
- type unconfined_qemu_t;
- typealias unconfined_qemu_t alias qemu_unconfined_t;
- application_type(unconfined_qemu_t)
- unconfined_domain(unconfined_qemu_t)
+ virt_domtrans_bridgehelper(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_home_files(qemu_t)
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
- allow unconfined_qemu_t self:process { execstack execmem };
- allow unconfined_qemu_t qemu_exec_t:file execmod;
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(qemu_t)
+ xserver_stream_connect(qemu_t)
')
diff --git a/qmail.fc b/qmail.fc
index e53fe5a..edee505 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -1,22 +1,6 @@
-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-
-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
@@ -29,9 +13,36 @@
/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/qmail.if b/qmail.if
index e4f0000..05e219e 100644
--- a/qmail.if
+++ b/qmail.if
@@ -1,12 +1,12 @@
-## Qmail Mail Server.
+## Qmail Mail Server
########################################
##
-## Template for qmail parent/sub-domain pairs.
+## Template for qmail parent/sub-domain pairs
##
##
##
-## The prefix of the child domain.
+## The prefix of the child domain
##
##
##
@@ -16,35 +16,39 @@
##
#
template(`qmail_child_domain_template',`
- gen_require(`
- attribute qmail_child_domain;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_t, qmail_child_domain;
- type $1_exec_t;
+ type $1_t;
domain_type($1_t)
+ type $1_exec_t;
domain_entry_file($1_t, $1_exec_t)
-
+ domain_auto_trans($2, $1_exec_t, $1_t)
role system_r types $1_t;
- ########################################
- #
- # Policy
- #
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir list_dir_perms;
+ allow $1_t qmail_etc_t:file read_file_perms;
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
- domtrans_pattern($2, $1_exec_t, $1_t)
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
- kernel_read_system_state($2)
')
########################################
##
-## Transition to qmail_inject_t.
+## Transition to qmail_inject_t
##
##
##
@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',`
type qmail_inject_t, qmail_inject_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
')
@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',`
########################################
##
-## Transition to qmail_queue_t.
+## Transition to qmail_queue_t
##
##
##
@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',`
type qmail_queue_t, qmail_queue_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
')
@@ -108,20 +112,21 @@ interface(`qmail_read_config',`
type qmail_etc_t;
')
- files_search_var($1)
allow $1 qmail_etc_t:dir list_dir_perms;
allow $1 qmail_etc_t:file read_file_perms;
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+ files_search_var($1)
ifdef(`distro_debian',`
+ # handle /etc/qmail
files_search_etc($1)
')
')
########################################
##
-## Define the specified domain as a
-## qmail-smtp service.
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
##
##
##
@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
domtrans_pattern(qmail_smtpd_t, $2, $1)
')
+
+########################################
+##
+## Create, read, write, and delete qmail
+## spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qmail_manage_spool_dirs',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+##
+## Create, read, write, and delete qmail
+## spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qmail_manage_spool_files',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+##
+## Read and write to qmail spool pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`qmail_rw_spool_pipes',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
index 8742944..53a2fe5 100644
--- a/qmail.te
+++ b/qmail.te
@@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1)
# Declarations
#
-attribute qmail_child_domain;
+attribute qmail_user_domains;
type qmail_alias_home_t;
files_type(qmail_alias_home_t)
@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t)
type qmail_exec_t;
files_type(qmail_exec_t)
-type qmail_inject_t;
+type qmail_inject_t, qmail_user_domains;
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
@@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)
qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
mta_mailserver_user_agent(qmail_queue_t)
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
mta_mailserver_sender(qmail_remote_t)
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
qmail_child_domain_template(qmail_send, qmail_start_t)
+
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_keytab_t;
files_type(qmail_keytab_t)
type qmail_spool_t;
-files_type(qmail_spool_t)
+files_spool_file(qmail_spool_t)
type qmail_start_t;
type qmail_start_exec_t;
@@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
-# Common qmail child domain local policy
-#
-
-allow qmail_child_domain self:process signal_perms;
-
-allow qmail_child_domain qmail_etc_t:dir list_dir_perms;
-allow qmail_child_domain qmail_etc_t:file read_file_perms;
-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms;
-
-allow qmail_child_domain qmail_start_t:fd use;
-
-corecmd_search_bin(qmail_child_domain)
-
-files_search_var(qmail_child_domain)
-
-fs_getattr_xattr_fs(qmail_child_domain)
-
-miscfiles_read_localization(qmail_child_domain)
-
-########################################
-#
-# Clean local policy
+# qmail-clean local policy
+# this component cleans up the queue directory
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
@@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
########################################
#
-# Inject local policy
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
#
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
@@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
-miscfiles_read_localization(qmail_inject_t)
qmail_read_config(qmail_inject_t)
########################################
#
-# Local local policy
+# qmail-local local policy
+# this component delivers a mail message
#
-allow qmail_local_t self:fifo_file write_fifo_file_perms;
allow qmail_local_t self:process signal_perms;
-allow qmail_local_t self:unix_stream_socket { accept listen };
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@@ -137,12 +122,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
+ uucp_domtrans(qmail_local_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(qmail_local_t)
')
########################################
#
-# Lspawn local policy
+# qmail-lspawn local policy
+# this component schedules local deliveries
#
allow qmail_lspawn_t self:capability { setuid setgid };
@@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
-files_read_etc_files(qmail_lspawn_t)
+corecmd_search_bin(qmail_lspawn_t)
+
files_search_pids(qmail_lspawn_t)
files_search_tmp(qmail_lspawn_t)
########################################
#
-# Queue local policy
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
#
allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -186,28 +178,34 @@ optional_policy(`
########################################
#
-# Remote local policy
+# qmail-remote local policy
+# this component sends mail via SMTP
#
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
-corenet_all_recvfrom_unlabeled(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
-
-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
-corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
dev_read_rand(qmail_remote_t)
dev_read_urand(qmail_remote_t)
-sysnet_dns_name_resolve(qmail_remote_t)
+sysnet_read_config(qmail_remote_t)
########################################
#
-# Rspawn local policy
+# qmail-rspawn local policy
+# this component scedules remote deliveries
#
allow qmail_rspawn_t self:process signal_perms;
@@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+corecmd_search_bin(qmail_rspawn_t)
+
########################################
#
-# Send local policy
+# qmail-send local policy
+# this component delivers mail messages from the queue
#
allow qmail_send_t self:process signal_perms;
@@ -237,7 +238,8 @@ optional_policy(`
########################################
#
-# Smtpd local policy
+# qmail-smtpd local policy
+# this component receives mails via SMTP
#
allow qmail_smtpd_t self:process signal_perms;
@@ -268,26 +270,26 @@ optional_policy(`
########################################
#
-# Splogger local policy
+# splogger local policy
+# this component creates entries in syslog
#
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-files_read_etc_files(qmail_splogger_t)
init_dontaudit_use_script_fds(qmail_splogger_t)
-miscfiles_read_localization(qmail_splogger_t)
########################################
#
-# Start local policy
+# qmail-start local policy
+# this component starts up the mail delivery component
#
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
@@ -304,7 +306,8 @@ optional_policy(`
########################################
#
-# Tcp-env local policy
+# tcp-env local policy
+# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/qpid.if b/qpid.if
index fe2adf8..f7e9c70 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
-## Apache QPID AMQP messaging server.
+## policy for qpidd
########################################
##
@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',`
type qpidd_t, qpidd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
-#####################################
+########################################
##
-## Read and write access qpidd semaphores.
+## Execute qpidd server in the qpidd domain.
##
##
##
@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',`
##
##
#
-interface(`qpidd_rw_semaphores',`
+interface(`qpidd_initrc_domtrans',`
gen_require(`
- type qpidd_t;
+ type qpidd_initrc_exec_t;
')
- allow $1 qpidd_t:sem rw_sem_perms;
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
')
########################################
##
-## Read and write qpidd shared memory.
+## Read qpidd PID files.
##
##
##
@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',`
##
##
#
-interface(`qpidd_rw_shm',`
+interface(`qpidd_read_pid_files',`
gen_require(`
- type qpidd_t;
+ type qpidd_var_run_t;
')
- allow $1 qpidd_t:shm rw_shm_perms;
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
')
########################################
##
-## Execute qpidd init script in
-## the initrc domain.
+## Manage qpidd var_run files.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`qpidd_initrc_domtrans',`
+interface(`qpidd_manage_var_run',`
gen_require(`
- type qpidd_initrc_exec_t;
+ type qpidd_var_run_t;
')
- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
')
########################################
##
-## Read qpidd pid files.
+## Search qpidd lib directories.
##
##
##
@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
##
##
#
-interface(`qpidd_read_pid_files',`
+interface(`qpidd_search_lib',`
gen_require(`
- type qpidd_var_run_t;
+ type qpidd_var_lib_t;
')
- files_search_pids($1)
- allow $1 qpidd_var_run_t:file read_file_perms;
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
##
-## Search qpidd lib directories.
+## Read qpidd lib files.
##
##
##
@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',`
##
##
#
-interface(`qpidd_search_lib',`
+interface(`qpidd_read_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
##
-## Read qpidd lib files.
+## Create, read, write, and delete
+## qpidd lib files.
##
##
##
@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',`
##
##
#
-interface(`qpidd_read_lib_files',`
+interface(`qpidd_manage_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
##
-## Create, read, write, and delete
-## qpidd lib files.
+## Manage qpidd var_lib files.
##
##
##
@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',`
##
##
#
-interface(`qpidd_manage_lib_files',`
+interface(`qpidd_manage_var_lib',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
-########################################
+#####################################
##
-## All of the rules required to
-## administrate an qpidd environment.
+## Allow read and write access to qpidd semaphores.
##
##
##
## Domain allowed access.
##
##
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+#######################################
+##
+## Read and write to qpidd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ type qpidd_tmpfs_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
+')
+
+#######################################
+##
+## All of the rules required to
+## administrate an qpidd environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
#
interface(`qpidd_admin',`
- gen_require(`
- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
- type qpidd_var_run_t;
- ')
+ gen_require(`
+ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
+ type qpidd_var_run_t;
+ ')
- allow $1 qpidd_t:process { ptrace signal_perms };
- ps_process_pattern($1, qpidd_t)
+ allow $1 qpidd_t:process { signal_perms };
+ ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 qpidd_t:process ptrace;
+ ')
- files_search_var_lib($1)
- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, qpidd_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, qpidd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
index 83eb09e..b48c931 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
type qpidd_initrc_exec_t;
init_script_file(qpidd_initrc_exec_t)
+type qpidd_tmp_t;
+files_tmp_file(qpidd_tmp_t)
+
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
+manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
+
manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
kernel_read_system_state(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t)
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
corenet_tcp_sendrecv_generic_node(qpidd_t)
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_sendrecv_amqp_server_packets(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
corenet_tcp_sendrecv_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
+corenet_tcp_connect_matahari_port(qpidd_t)
+
dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
+dev_read_rand(qpidd_t)
-files_read_etc_files(qpidd_t)
+# needed by ssl
+files_list_tmp(qpidd_t)
logging_send_syslog_msg(qpidd_t)
-miscfiles_read_localization(qpidd_t)
-
sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
- corosync_stream_connect(qpidd_t)
+ kerberos_use(qpidd_t)
')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(qpidd_t)
+')
+
diff --git a/quantum.fc b/quantum.fc
index 70ab68b..32dec67 100644
--- a/quantum.fc
+++ b/quantum.fc
@@ -1,10 +1,28 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
+/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
+/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
+
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
diff --git a/quantum.if b/quantum.if
index afc0068..3105104 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,293 @@
########################################
##
-## All of the rules required to
-## administrate an quantum environment.
+## Transition to neutron.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`neutron_domtrans',`
+ gen_require(`
+ type neutron_t, neutron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+##
+## Allow read/write neutron pipes
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`neutron_rw_inherited_pipes',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Send sigchld to neutron.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
+##
+##
+#
+#
+interface(`neutron_sigchld',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:process sigchld;
+')
+
+########################################
+##
+## Read neutron's log files.
+##
+##
+##
+## Domain allowed access.
##
##
##
#
-interface(`quantum_admin',`
+interface(`neutron_read_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
+## Append to neutron log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_append_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
+## Manage neutron log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_manage_log',`
+ gen_require(`
+ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
+ manage_files_pattern($1, neutron_log_t, neutron_log_t)
+ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
+## Search neutron lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_search_lib',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
+
+ allow $1 neutron_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read neutron lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_read_lib_files',`
gen_require(`
- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
- type quantum_var_lib_t, quantum_tmp_t;
+ type neutron_var_lib_t;
')
- allow $1 quantum_t:process { ptrace signal_perms };
- ps_process_pattern($1, quantum_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
+## Manage neutron lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_manage_lib_files',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
+## Manage neutron lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_manage_lib_dirs',`
+ gen_require(`
+ type neutron_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
+## Read and write neutron fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_rw_fifo_file',`
+ gen_require(`
+ type neutron_t;
+ ')
+
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+##
+## Connect to neutron over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_stream_connect',`
+ gen_require(`
+ type neutron_t;
+ type neutron_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+##
+## Execute neutron server in the neutron domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`neutron_systemctl',`
+ gen_require(`
+ type neutron_t;
+ type neutron_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 neutron_unit_file_t:file read_file_perms;
+ allow $1 neutron_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, neutron_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an neutron environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`neutron_admin',`
+ gen_require(`
+ type neutron_t;
+ type neutron_log_t;
+ type neutron_var_lib_t;
+ type neutron_unit_file_t;
+ ')
+
+ allow $1 neutron_t:process { ptrace signal_perms };
+ ps_process_pattern($1, neutron_t)
logging_search_logs($1)
- admin_pattern($1, quantum_log_t)
+ admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
- admin_pattern($1, quantum_var_lib_t)
+ admin_pattern($1, neutron_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, quantum_tmp_t)
+ neutron_systemctl($1)
+ admin_pattern($1, neutron_unit_file_t)
+ allow $1 neutron_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b..b744b5d 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
# Declarations
#
-type quantum_t;
-type quantum_exec_t;
-init_daemon_domain(quantum_t, quantum_exec_t)
+type neutron_t alias quantum_t;
+type neutron_exec_t alias quantum_exec_t;
+init_daemon_domain(neutron_t, neutron_exec_t)
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
+init_script_file(neutron_initrc_exec_t)
-type quantum_log_t;
-logging_log_file(quantum_log_t)
+type neutron_log_t alias quantum_log_t;
+logging_log_file(neutron_log_t)
-type quantum_tmp_t;
-files_tmp_file(quantum_tmp_t)
+type neutron_tmp_t alias quantum_tmp_t;
+files_tmp_file(neutron_tmp_t)
-type quantum_var_lib_t;
-files_type(quantum_var_lib_t)
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
+type neutron_unit_file_t alias quantum_unit_file_t;
+systemd_unit_file(neutron_unit_file_t)
########################################
#
# Local policy
#
-allow quantum_t self:capability { setgid setuid sys_resource };
-allow quantum_t self:process { setsched setrlimit };
-allow quantum_t self:fifo_file rw_fifo_file_perms;
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
+allow neutron_t self:capability { setgid setuid sys_resource };
+allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen };
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-can_exec(quantum_t, quantum_tmp_t)
+can_exec(neutron_t, neutron_tmp_t)
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
+kernel_read_kernel_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
+corenet_tcp_sendrecv_generic_node(neutron_t)
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
-files_read_usr_files(quantum_t)
+dev_list_sysfs(neutron_t)
+dev_read_urand(neutron_t)
-auth_use_nsswitch(quantum_t)
+auth_use_nsswitch(neutron_t)
-libs_exec_ldconfig(quantum_t)
+libs_exec_ldconfig(neutron_t)
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
+sysnet_exec_ifconfig(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
+')
optional_policy(`
- brctl_domtrans(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_config(neutron_t)
+
+ mysql_tcp_connect(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
- mysql_tcp_connect(quantum_t)
+ postgresql_tcp_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ sudo_exec(neutron_t)
')
diff --git a/quota.fc b/quota.fc
index cadabe3..0ee2489 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,6 +1,5 @@
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
-
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+')
-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/quota.if b/quota.if
index da64218..3fb8575 100644
--- a/quota.if
+++ b/quota.if
@@ -1,4 +1,4 @@
-## File system quota management.
+## File system quota management
########################################
##
@@ -21,9 +21,8 @@ interface(`quota_domtrans',`
########################################
##
-## Execute quota management tools in
-## the quota domain, and allow the
-## specified role the quota domain.
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
##
##
##
@@ -39,90 +38,54 @@ interface(`quota_domtrans',`
#
interface(`quota_run',`
gen_require(`
- attribute_role quota_roles;
+ type quota_t;
')
quota_domtrans($1)
- roleattribute $2 quota_roles;
+ role $2 types quota_t;
')
#######################################
##
-## Execute quota nld in the quota nld domain.
+## Alow to read of filesystem quota data files.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain to not audit.
+##
##
#
-interface(`quota_domtrans_nld',`
- gen_require(`
- type quota_nld_t, quota_nld_exec_t;
- ')
+interface(`quota_read_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+ allow $1 quota_db_t:file read_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## quota db files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`quota_manage_db_files',`
- gen_require(`
- type quota_db_t;
- ')
-
- allow $1 quota_db_t:file manage_file_perms;
-')
-
-########################################
-##
-## Create specified objects in specified
-## directories with a type transition to
-## the quota db file type.
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Directory to transition on.
-##
-##
-##
-##
-## The object class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`quota_spec_filetrans_db',`
+interface(`quota_dontaudit_getattr_db',`
gen_require(`
type quota_db_t;
')
- filetrans_pattern($1, $2, quota_db_t, $3, $4)
+ dontaudit $1 quota_db_t:file getattr_file_perms;
')
########################################
##
-## Do not audit attempts to get attributes
-## of filesystem quota data files.
+## Create, read, write, and delete quota
+## db files.
##
##
##
@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',`
##
##
#
-interface(`quota_dontaudit_getattr_db',`
+interface(`quota_manage_db',`
gen_require(`
type quota_db_t;
')
- dontaudit $1 quota_db_t:file getattr_file_perms;
+ allow $1 quota_db_t:file manage_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## quota flag files.
+## Create, read, write, and delete quota
+## flag files.
##
##
##
@@ -160,37 +123,56 @@ interface(`quota_manage_flags',`
########################################
##
-## All of the rules required to
-## administrate an quota environment.
+## Transition to quota named content
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`quota_admin',`
+interface(`quota_filetrans_named_content',`
gen_require(`
- type quota_nld_t, quota_t, quota_db_t;
- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t;
+ type quota_db_t;
')
- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { quota_nld_t quota_t })
-
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
+ files_home_filetrans($1, quota_db_t, file, "aquota.user")
+ files_home_filetrans($1, quota_db_t, file, "aquota.group")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
+ files_var_filetrans($1, quota_db_t, file, "aquota.user")
+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
+')
- files_list_all($1)
- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+#######################################
+##
+## Transition to quota_nld.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`quota_domtrans_nld',`
+ gen_require(`
+ type quota_nld_t, quota_nld_exec_t;
+ ')
- quota_run($1, $2)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
index f47c8e8..a0251fe 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
# Declarations
#
-attribute_role quota_roles;
-
type quota_t;
type quota_exec_t;
-init_system_domain(quota_t, quota_exec_t)
-role quota_roles types quota_t;
+application_domain(quota_t, quota_exec_t)
+#init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
@@ -22,9 +20,6 @@ type quota_nld_t;
type quota_nld_exec_t;
init_daemon_domain(quota_nld_t, quota_nld_exec_t)
-type quota_nld_initrc_exec_t;
-init_script_file(quota_nld_initrc_exec_t)
-
type quota_nld_var_run_t;
files_pid_file(quota_nld_var_run_t)
@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
+# for /quota.*
allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-kernel_request_load_module(quota_t)
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
-files_list_all(quota_t)
-files_read_all_files(quota_t)
-files_read_all_symlinks(quota_t)
-files_getattr_all_pipes(quota_t)
-files_getattr_all_sockets(quota_t)
-files_getattr_all_file_type_fs(quota_t)
-files_read_etc_runtime_files(quota_t)
-
fs_get_xattr_fs_quotas(quota_t)
fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t)
@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
domain_use_interactive_fds(quota_t)
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
init_use_fds(quota_t)
init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
-userdom_use_user_terminals(quota_t)
+mta_spool_filetrans(quota_t, quota_db_t, file)
+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+
+userdom_use_inherited_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
- mta_queue_filetrans(quota_t, quota_db_t, file)
- mta_spool_filetrans(quota_t, quota_db_t, file)
+ openshift_lib_filetrans(quota_t, quota_db_t, file)
')
optional_policy(`
@@ -103,12 +101,12 @@ optional_policy(`
#######################################
#
-# Nld local policy
+# Local policy
#
allow quota_nld_t self:fifo_file rw_fifo_file_perms;
allow quota_nld_t self:netlink_socket create_socket_perms;
-allow quota_nld_t self:unix_stream_socket { accept listen };
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t)
logging_send_syslog_msg(quota_nld_t)
-miscfiles_read_localization(quota_nld_t)
-
userdom_use_user_terminals(quota_nld_t)
optional_policy(`
- dbus_system_bus_client(quota_nld_t)
- dbus_connect_system_bus(quota_nld_t)
+ dbus_system_bus_client(quota_nld_t)
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
index c5ad6de..a48c318 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
@@ -4,7 +4,11 @@
/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.if b/rabbitmq.if
index 2c3d338..cf3e5ad 100644
--- a/rabbitmq.if
+++ b/rabbitmq.if
@@ -10,13 +10,13 @@
##
##
#
-interface(`rabbitmq_domtrans',`
+interface(`rabbitmq_domtrans_beam',`
gen_require(`
- type rabbitmq_t, rabbitmq_exec_t;
+ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
')
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
index dc3b0ed..750df0e 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
type rabbitmq_var_lib_t;
files_type(rabbitmq_var_lib_t)
+type rabbitmq_var_lock_t;
+files_lock_file(rabbitmq_var_lock_t)
+
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t)
# Beam local policy
#
+allow rabbitmq_beam_t self:capability setuid;
+
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
+
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
@@ -55,11 +64,14 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+corenet_udp_bind_generic_node(rabbitmq_beam_t)
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
@@ -69,37 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
-dev_read_urand(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+
+domain_read_all_domains_state(rabbitmq_beam_t)
+
+files_getattr_all_mountpoints(rabbitmq_beam_t)
fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
fs_search_cgroup_dirs(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
-miscfiles_read_localization(rabbitmq_beam_t)
+auth_read_passwd(rabbitmq_beam_t)
+auth_use_pam(rabbitmq_beam_t)
sysnet_dns_name_resolve(rabbitmq_beam_t)
- optional_policy(`
- couchdb_manage_lib_files(rabbitmq_beam_t)
- couchdb_read_conf_files(rabbitmq_beam_t)
- couchdb_read_log_files(rabbitmq_beam_t)
- couchdb_read_pid_files(rabbitmq_beam_t)
- ')
+logging_send_syslog_msg(rabbitmq_beam_t)
+
+optional_policy(`
+ couchdb_manage_lib_files(rabbitmq_beam_t)
+ couchdb_read_conf_files(rabbitmq_beam_t)
+ couchdb_read_log_files(rabbitmq_beam_t)
+ couchdb_search_pid_dirs(rabbitmq_beam_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rabbitmq_beam_t)
+')
########################################
#
# Epmd local policy
#
-
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
-files_read_etc_files(rabbitmq_epmd_t)
-
logging_send_syslog_msg(rabbitmq_epmd_t)
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
index d447e85..008ee02 100644
--- a/radius.fc
+++ b/radius.fc
@@ -9,6 +9,8 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
+
/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
index 4460582..60cf556 100644
--- a/radius.if
+++ b/radius.if
@@ -14,6 +14,29 @@ interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+#######################################
+##
+## Execute radiusd server in the radiusd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`radiusd_systemctl',`
+ gen_require(`
+ type radiusd_unit_file_t;
+ type radiusd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 radiusd_unit_file_t:file read_file_perms;
+ allow $1 radiusd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, radiusd_t)
+')
+
########################################
##
## All of the rules required to
@@ -35,11 +58,14 @@ interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
- type radiusd_initrc_exec_t;
+ type radiusd_initrc_exec_t, radiusd_unit_file_t;
')
- allow $1 radiusd_t:process { ptrace signal_perms };
+ allow $1 radiusd_t:process signal_perms;
ps_process_pattern($1, radiusd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 radiusd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -57,4 +83,9 @@ interface(`radius_admin',`
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
+
+ admin_pattern($1, radiusd_unit_file_t)
+ bind_systemctl($1)
+ allow $1 radiusd_unit_file_t:service all_service_perms;
+
')
diff --git a/radius.te b/radius.te
index 403a4fe..0ae6dc6 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
+type radiusd_unit_file_t;
+systemd_unit_file(radiusd_unit_file_t)
+
########################################
#
# Local policy
@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+files_dontaudit_list_tmp(radiusd_t)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
-corenet_all_recvfrom_unlabeled(radiusd_t)
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
+corenet_tcp_connect_postgresql_port(radiusd_t)
+
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
-files_read_usr_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
-miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
@@ -122,6 +125,11 @@ optional_policy(`
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
+ kerberos_manage_host_rcache(radiusd_t)
+')
+
+optional_policy(`
logrotate_exec(radiusd_t)
')
diff --git a/radvd.if b/radvd.if
index ac7058d..48739ac 100644
--- a/radvd.if
+++ b/radvd.if
@@ -1,5 +1,24 @@
## IPv6 router advertisement daemon.
+######################################
+##
+## Read radvd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`radvd_read_pid_files',`
+ gen_require(`
+ type radvd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+')
+
########################################
##
## All of the rules required to
@@ -23,8 +42,11 @@ interface(`radvd_admin',`
type radvd_var_run_t;
')
- allow $1 radvd_t:process { ptrace signal_perms };
+ allow $1 radvd_t:process signal_perms;
ps_process_pattern($1, radvd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 radvd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
index 6d162e4..889c0ed 100644
--- a/radvd.te
+++ b/radvd.te
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
-miscfiles_read_localization(radvd_t)
-
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
index 5806046..d83ec27 100644
--- a/raid.fc
+++ b/raid.fc
@@ -3,6 +3,11 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -16,6 +21,7 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
index 951db7f..c0cabe8 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
-## RAID array management tools.
+## RAID array management tools
########################################
##
-## Execute software raid tools in
-## the mdadm domain.
+## Execute software raid tools in the mdadm domain.
##
##
##
@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',`
######################################
##
-## Execute mdadm in the mdadm
-## domain, and allow the specified
-## role the mdadm domain.
+## Execute a domain transition to mdadm_t for the
+## specified role, allowing it to use the mdadm_t
+## domain
##
##
##
-## Role allowed access.
+## Role allowed to access mdadm_t domain
##
##
##
##
-## Domain allowed to transition.
+## Domain allowed to transition to mdadm_t
##
##
#
interface(`raid_run_mdadm',`
gen_require(`
- attribute_role mdadm_roles;
+ type mdadm_t;
')
+ role $1 types mdadm_t;
raid_domtrans_mdadm($2)
- roleattribute $1 mdadm_roles;
+')
+
+######################################
+##
+## Execute mdadm server in the mdadm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mdadm_systemctl',`
+ gen_require(`
+ type mdadm_t;
+ type mdadm_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 mdadm_unit_file_t:file read_file_perms;
+ allow $1 mdadm_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mdadm_t)
')
########################################
##
-## Create, read, write, and delete
-## mdadm pid files.
+## read the mdadm pid files.
##
##
##
@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
##
##
#
-interface(`raid_manage_mdadm_pid',`
+interface(`raid_read_mdadm_pid',`
gen_require(`
type mdadm_var_run_t;
')
- files_search_pids($1)
- allow $1 mdadm_var_run_t:file manage_file_perms;
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
')
########################################
##
-## All of the rules required to
-## administrate an mdadm environment.
+## Create, read, write, and delete the mdadm pid files.
##
+##
+##
+## Create, read, write, and delete the mdadm pid files.
+##
+##
+## Added for use in the init module.
+##
+##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+')
+
+#######################################
+##
+## Check access to the mdadm executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_access_check_mdadm',`
+ gen_require(`
+ type mdadm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+##
+## Read mdadm config files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`raid_admin_mdadm',`
+interface(`raid_read_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
')
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
+ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
+
+########################################
+##
+## Manage mdadm config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_manage_conf_files',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
- files_search_pids($1)
- admin_pattern($1, mdadm_var_run_t)
+########################################
+##
+## Transition to mdadm named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_filetrans_named_content',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
- raid_run_mdadm($2, $1)
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
index c99753f..5e27523 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_conf_t;
+files_config_file(mdadm_conf_t)
+
+type mdadm_unit_file_t;
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
+files_tmpfs_file(mdadm_tmp_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { getsched setsched signal_perms };
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
+
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-dev_filetrans(mdadm_t, mdadm_var_run_t, file)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
+can_exec(mdadm_t, mdadm_exec_t)
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
+kernel_setsched(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
-
+dev_read_kvm(mdadm_t)
+dev_read_mei(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
+
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
-files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -71,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
+storage_raw_read_removable_device(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
+auth_use_nsswitch(mdadm_t)
+
init_dontaudit_getattr_initctl(mdadm_t)
+logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
+systemd_start_systemd_services(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -94,13 +128,30 @@ optional_policy(`
')
optional_policy(`
+ kdump_manage_kdumpctl_tmp_files(mdadm_t)
+ kdump_rw_lock(mdadm_t)
+')
+
+optional_policy(`
mta_send_mail(mdadm_t)
')
optional_policy(`
+ mdadm_systemctl(mdadm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mdadm_t)
')
optional_policy(`
udev_read_db(mdadm_t)
')
+
+optional_policy(`
+ virt_read_blk_images(mdadm_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
diff --git a/rasdaemon.fc b/rasdaemon.fc
new file mode 100644
index 0000000..8e31dd0
--- /dev/null
+++ b/rasdaemon.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
diff --git a/rasdaemon.if b/rasdaemon.if
new file mode 100644
index 0000000..a073efd
--- /dev/null
+++ b/rasdaemon.if
@@ -0,0 +1,156 @@
+
+## The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
+
+########################################
+##
+## Execute TEMPLATE in the rasdaemon domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rasdaemon_domtrans',`
+ gen_require(`
+ type rasdaemon_t, rasdaemon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
+')
+
+########################################
+##
+## Search rasdaemon lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_search_lib',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read rasdaemon lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_read_lib_files',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+##
+## Manage rasdaemon lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_manage_lib_files',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+##
+## Manage rasdaemon lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rasdaemon_manage_lib_dirs',`
+ gen_require(`
+ type rasdaemon_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+##
+## Execute rasdaemon server in the rasdaemon domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rasdaemon_systemctl',`
+ gen_require(`
+ type rasdaemon_t;
+ type rasdaemon_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rasdaemon_unit_file_t:file read_file_perms;
+ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rasdaemon_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an rasdaemon environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rasdaemon_admin',`
+ gen_require(`
+ type rasdaemon_t;
+ type rasdaemon_var_lib_t;
+ type rasdaemon_unit_file_t;
+ ')
+
+ allow $1 rasdaemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rasdaemon_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, rasdaemon_var_lib_t)
+
+ rasdaemon_systemctl($1)
+ admin_pattern($1, rasdaemon_unit_file_t)
+ allow $1 rasdaemon_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
index 0000000..8651ca4
--- /dev/null
+++ b/rasdaemon.te
@@ -0,0 +1,35 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_lib_t;
+files_type(rasdaemon_var_lib_t)
+
+type rasdaemon_unit_file_t;
+systemd_unit_file(rasdaemon_unit_file_t)
+
+########################################
+#
+# rasdaemon local policy
+#
+allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
+allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file })
+
+kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t)
+
+dev_read_sysfs(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
+++ b/razor.fc
@@ -1,9 +1,9 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
-
-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/razor.if b/razor.if
index 1e4b523..fee3b7c 100644
--- a/razor.if
+++ b/razor.if
@@ -1,72 +1,147 @@
## A distributed, collaborative, spam detection and filtering network.
+##
+##
+## A distributed, collaborative, spam detection and filtering network.
+##
+##
+## This policy will work with either the ATrpms provided config
+## file in /etc/razor, or with the default of dumping everything into
+## $HOME/.razor.
+##
+##
#######################################
##
-## The template to define a razor domain.
+## Template to create types and rules common to
+## all razor domains.
##
-##
+##
##
-## Domain prefix to be used.
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
##
##
#
template(`razor_common_domain_template',`
gen_require(`
- attribute razor_domain;
- type razor_exec_t;
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_t, razor_domain;
+ type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
- ########################################
- #
- # Declarations
- #
-
- auth_use_nsswitch($1_t)
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ allow $1_t self:tcp_socket create_socket_perms;
+
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+ logging_log_filetrans($1_t, razor_log_t, file)
+
+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ files_search_var_lib($1_t)
+
+ # Razor is one executable and several symlinks
+ allow $1_t razor_exec_t:file read_file_perms;
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corecmd_exec_bin($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_raw_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_razor_port($1_t)
+
+ # mktemp and other randoms
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_search_pids($1_t)
+ # Allow access to various files in the /etc/directory including mtab
+ # and nsswitch
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ libs_read_lib_files($1_t)
+
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
')
########################################
##
-## Role access for razor.
+## Role access for razor
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`razor_role',`
gen_require(`
- attribute_role razor_roles;
type razor_t, razor_exec_t, razor_home_t;
- type razor_tmp_t;
')
- roleattribute $1 razor_roles;
+ role $1 types razor_t;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, razor_exec_t, razor_t)
+ # allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
-
- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 razor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 razor_t:process ptrace;
+ ')
- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')
########################################
@@ -81,17 +156,16 @@ interface(`razor_role',`
#
interface(`razor_domtrans',`
gen_require(`
- type system_razor_t, razor_exec_t;
+ type razor_t, razor_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, razor_exec_t, system_razor_t)
+ domtrans_pattern($1, razor_exec_t, razor_t)
')
########################################
##
-## Create, read, write, and delete
-## razor home content.
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
##
##
##
@@ -99,20 +173,19 @@ interface(`razor_domtrans',`
##
##
#
-interface(`razor_manage_home_content',`
+interface(`razor_manage_user_home_files',`
gen_require(`
type razor_home_t;
')
userdom_search_user_home_dirs($1)
- allow $1 razor_home_t:dir manage_dir_perms;
- allow $1 razor_home_t:file manage_file_perms;
- allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
')
########################################
##
-## Read razor lib files.
+## read razor lib files.
##
##
##
diff --git a/razor.te b/razor.te
index 68455f9..38f6968 100644
--- a/razor.te
+++ b/razor.te
@@ -5,135 +5,124 @@ policy_module(razor, 2.4.0)
# Declarations
#
-attribute razor_domain;
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_home_t, spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
+
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
+
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ userdom_user_home_content(razor_home_t)
+
+ type razor_log_t;
+ logging_log_file(razor_log_t)
+
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
+
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
+
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
+
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
+
+ ########################################
+ #
+ # System razor local policy
+ #
+
+ # this version of razor is invoked typically
+ # via the system spam filter
+
+ allow system_razor_t self:tcp_socket create_socket_perms;
+
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
+
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
+
+ auth_use_nsswitch(system_razor_t)
+
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
+
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
+
+ ########################################
+ #
+ # User razor local policy
+ #
+
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
-attribute_role razor_roles;
+ logging_send_syslog_msg(razor_t)
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_inherited_user_terminals(razor_t)
-type razor_etc_t;
-files_config_file(razor_etc_t)
+ userdom_home_manager(razor_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
-
-type razor_log_t;
-logging_log_file(razor_log_t)
-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-userdom_user_tmp_file(razor_tmp_t)
-
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-userdom_user_application_type(razor_t)
-role razor_roles types razor_t;
-
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
-# Common razor domain local policy
-#
-
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow razor_domain self:fd use;
-allow razor_domain self:fifo_file rw_fifo_file_perms;
-allow razor_domain self:unix_dgram_socket sendto;
-allow razor_domain self:unix_stream_socket { accept connectto listen };
-
-allow razor_domain razor_etc_t:dir list_dir_perms;
-allow razor_domain razor_etc_t:file read_file_perms;
-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms;
-
-allow razor_domain razor_exec_t:file read_file_perms;
-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms;
-
-kernel_read_system_state(razor_domain)
-kernel_read_network_state(razor_domain)
-kernel_read_software_raid_state(razor_domain)
-kernel_getattr_core_if(razor_domain)
-kernel_getattr_message_if(razor_domain)
-kernel_read_kernel_sysctls(razor_domain)
-
-corecmd_exec_bin(razor_domain)
-
-corenet_all_recvfrom_unlabeled(razor_domain)
-corenet_all_recvfrom_netlabel(razor_domain)
-corenet_tcp_sendrecv_generic_if(razor_domain)
-corenet_tcp_sendrecv_generic_node(razor_domain)
-
-corenet_tcp_sendrecv_razor_port(razor_domain)
-corenet_tcp_connect_razor_port(razor_domain)
-corenet_sendrecv_razor_client_packets(razor_domain)
-
-dev_read_rand(razor_domain)
-dev_read_urand(razor_domain)
-
-files_read_etc_runtime_files(razor_domain)
-
-libs_read_lib_files(razor_domain)
-
-miscfiles_read_localization(razor_domain)
-
-########################################
-#
-# System local policy
-#
-
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-
-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t)
-append_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-create_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-logging_log_filetrans(system_razor_t, razor_log_t, file)
-
-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-
-########################################
-#
-# Session local policy
-#
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor")
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
-fs_getattr_all_fs(razor_t)
-fs_search_auto_mountpoints(razor_t)
-
-userdom_use_unpriv_users_fds(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
diff --git a/rdisc.fc b/rdisc.fc
index e9765c0..ea21331 100644
--- a/rdisc.fc
+++ b/rdisc.fc
@@ -1,3 +1,3 @@
-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
index 170ef52..7dd9193 100644
--- a/rdisc.if
+++ b/rdisc.if
@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
corecmd_search_bin($1)
can_exec($1, rdisc_exec_t)
')
+
+########################################
+##
+## Execute rdisc server in the rdisc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rdisc_systemctl',`
+ gen_require(`
+ type rdisc_t;
+ type rdisc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rdisc_unit_file_t:file read_file_perms;
+ allow $1 rdisc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rdisc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an rdisc environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rdisc_admin',`
+ gen_require(`
+ type rdisc_t;
+ type rdisc_unit_file_t;
+ ')
+
+ allow $1 rdisc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rdisc_t)
+
+ rdisc_systemctl($1)
+ admin_pattern($1, rdisc_unit_file_t)
+ allow $1 rdisc_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rdisc.te b/rdisc.te
index 9196c1d..b775931 100644
--- a/rdisc.te
+++ b/rdisc.te
@@ -9,6 +9,9 @@ type rdisc_t;
type rdisc_exec_t;
init_daemon_domain(rdisc_t, rdisc_exec_t)
+type rdisc_unit_file_t;
+systemd_unit_file(rdisc_unit_file_t)
+
########################################
#
# Local policy
@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
-corenet_all_recvfrom_unlabeled(rdisc_t)
corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
domain_use_interactive_fds(rdisc_t)
-files_read_etc_files(rdisc_t)
logging_send_syslog_msg(rdisc_t)
-miscfiles_read_localization(rdisc_t)
-
sysnet_read_config(rdisc_t)
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
index f01b32f..46279e8 100644
--- a/readahead.fc
+++ b/readahead.fc
@@ -1,7 +1,11 @@
-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
index 661bb88..06f69c4 100644
--- a/readahead.if
+++ b/readahead.if
@@ -19,3 +19,27 @@ interface(`readahead_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, readahead_exec_t, readahead_t)
')
+
+########################################
+##
+## Manage readahead var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`readahead_manage_pid_files',`
+ gen_require(`
+ type readahead_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ dev_filetrans($1, readahead_var_run_t, { dir file })
+ init_pid_filetrans($1, readahead_var_run_t, { dir file })
+ files_search_pids($1)
+ init_search_pid_dirs($1)
+')
+
diff --git a/readahead.te b/readahead.te
index c0b02c9..af81d71 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
+dev_associate(readahead_var_run_t)
init_daemon_run_dir(readahead_var_run_t, "readahead")
########################################
@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
+kernel_list_all_proc(readahead_t)
-dev_read_sysfs(readahead_t)
+dev_rw_sysfs(readahead_t)
+dev_read_kmsg(readahead_t)
+dev_read_urand(readahead_t)
+dev_write_kmsg(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_create_boot_flag(readahead_t)
+files_delete_root_files(readahead_t)
files_getattr_all_pipes(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_search_var_lib(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
+files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
+ dev_dontaudit_write_all_chr_files(readahead_t)
+ dev_dontaudit_write_all_blk_files(readahead_t)
+')
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
-mcs_file_read_all(readahead_t)
-
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
+# needs to write to /run/systemd/notify
+init_write_pid_socket(readahead_t)
+init_create_pid_dirs(readahead_t)
+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead")
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
-miscfiles_read_localization(readahead_t)
-
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
index 04babe3..3b92679 100644
--- a/realmd.fc
+++ b/realmd.fc
@@ -1 +1,5 @@
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
+
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31df..3b2a829 100644
--- a/realmd.if
+++ b/realmd.if
@@ -1,8 +1,9 @@
-## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.
+
+## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
########################################
##
-## Execute realmd in the realmd domain.
+## Execute realmd in the realmd_t domain.
##
##
##
@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',`
allow $1 realmd_t:dbus send_msg;
allow realmd_t $1:dbus send_msg;
')
+
+########################################
+##
+## Search realmd cache directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_search_cache',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ allow $1 realmd_var_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+##
+## Read realmd cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_read_cache_files',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## realmd cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_manage_cache_files',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+##
+## Manage realmd cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_manage_cache_dirs',`
+ gen_require(`
+ type realmd_var_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+
+########################################
+##
+## Read realmd tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`realmd_read_tmp_files',`
+ gen_require(`
+ type realmd_tmp_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
+')
+
diff --git a/realmd.te b/realmd.te
index 5bc878b..5736203 100644
--- a/realmd.te
+++ b/realmd.te
@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0)
type realmd_t;
type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
+init_daemon_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
+type realmd_tmp_t;
+files_tmp_file(realmd_tmp_t)
+
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
+
+type realmd_var_lib_t;
+files_type(realmd_var_lib_t)
########################################
#
-# Local policy
+# realmd local policy
#
-allow realmd_t self:capability sys_nice;
+allow realmd_t self:capability { sys_nice };
+allow realmd_t self:capability2 block_suspend;
allow realmd_t self:process setsched;
+allow realmd_t self:key manage_key_perms;
+
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
+
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
kernel_read_system_state(realmd_t)
+kernel_read_network_state(realmd_t)
corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)
-corenet_all_recvfrom_unlabeled(realmd_t)
-corenet_all_recvfrom_netlabel(realmd_t)
-corenet_tcp_sendrecv_generic_if(realmd_t)
-corenet_tcp_sendrecv_generic_node(realmd_t)
-
-corenet_sendrecv_http_client_packets(realmd_t)
corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
+corenet_tcp_connect_ldap_port(realmd_t)
+corenet_tcp_connect_smbd_port(realmd_t)
domain_use_interactive_fds(realmd_t)
dev_read_rand(realmd_t)
dev_read_urand(realmd_t)
-fs_getattr_all_fs(realmd_t)
+files_manage_etc_files(realmd_t)
-files_read_usr_files(realmd_t)
+fs_getattr_all_fs(realmd_t)
auth_use_nsswitch(realmd_t)
+init_filetrans_named_content(realmd_t)
+
+logging_manage_generic_logs(realmd_t)
logging_send_syslog_msg(realmd_t)
+miscfiles_manage_generic_cert_files(realmd_t)
+
+seutil_domtrans_setfiles(realmd_t)
+seutil_read_file_contexts(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+
+optional_policy(`
+ authconfig_domtrans(realmd_t)
+')
+
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
optional_policy(`
+ certmonger_dbus_chat(realmd_t)
+ ')
+
+ optional_policy(`
networkmanager_dbus_chat(realmd_t)
')
@@ -63,21 +105,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
+ kerberos_rw_config(realmd_t)
+ kerberos_filetrans_named_content(realmd_t)
+')
+
+optional_policy(`
+ ntp_domtrans_ntpdate(realmd_t)
+')
+
+optional_policy(`
+ ssh_domtrans(realmd_t)
+ ssh_systemctl(realmd_t)
')
optional_policy(`
nis_exec_ypbind(realmd_t)
- nis_initrc_domtrans(realmd_t)
+ nis_systemctl_ypbind(realmd_t)
')
optional_policy(`
- gnome_read_generic_home_content(realmd_t)
+ gnome_read_config(realmd_t)
+ gnome_read_generic_cache_files(realmd_t)
+ gnome_write_generic_cache_files(realmd_t)
+ gnome_manage_cache_home_dir(realmd_t)
+
')
optional_policy(`
samba_domtrans_net(realmd_t)
samba_manage_config(realmd_t)
- samba_getattr_winbind_exec(realmd_t)
+ samba_getattr_winbind(realmd_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(realmd_t)
')
optional_policy(`
@@ -86,5 +147,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
+')
+
+optional_policy(`
+ unconfined_domain(realmd_t)
+')
+
+#####################################
+#
+# realmd consolehelper local policy
+#
+
+optional_policy(`
+ userhelper_console_role_template(realmd, system_r, realmd_t)
+ authconfig_manage_lib_files(realmd_consolehelper_t)
+
+ oddjob_systemctl(realmd_consolehelper_t)
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
diff --git a/redis.fc b/redis.fc
index e240ac9..638d6b4 100644
--- a/redis.fc
+++ b/redis.fc
@@ -1,9 +1,11 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
index 16c8ecb..9fc0cb9 100644
--- a/redis.if
+++ b/redis.if
@@ -1,9 +1,224 @@
-## Advanced key-value store.
+## Advanced key-value store
########################################
##
-## All of the rules required to
-## administrate an redis environment.
+## Execute redis server in the redis domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`redis_domtrans',`
+ gen_require(`
+ type redis_t, redis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, redis_exec_t, redis_t)
+')
+
+########################################
+##
+## Execute redis server in the redis domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_initrc_domtrans',`
+ gen_require(`
+ type redis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
+
+########################################
+##
+## Read redis's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_read_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+##
+## Append to redis log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_append_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+##
+## Manage redis log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_manage_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, redis_log_t, redis_log_t)
+ manage_files_pattern($1, redis_log_t, redis_log_t)
+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+##
+## Search redis lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_search_lib',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ allow $1 redis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read redis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_read_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+##
+## Manage redis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_manage_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+##
+## Manage redis lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_manage_lib_dirs',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+##
+## Read redis PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`redis_read_pid_files',`
+ gen_require(`
+ type redis_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
+')
+
+########################################
+##
+## Execute redis server in the redis domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`redis_systemctl',`
+ gen_require(`
+ type redis_t;
+ type redis_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an redis environment
##
##
##
@@ -20,7 +235,7 @@
interface(`redis_admin',`
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
- type redis_log_t, redis_var_run_t;
+ type redis_log_t, redis_var_run_t, redis_unit_file_t;
')
allow $1 redis_t:process { ptrace signal_perms };
@@ -32,11 +247,20 @@ interface(`redis_admin',`
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($!, redis_log_t)
+ admin_pattern($1, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/redis.te b/redis.te
index 25cd417..178198b 100644
--- a/redis.te
+++ b/redis.te
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
########################################
#
# Local policy
@@ -60,6 +63,4 @@ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
-miscfiles_read_localization(redis_t)
-
sysnet_dns_name_resolve(redis_t)
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644
--- a/remotelogin.fc
+++ b/remotelogin.fc
@@ -1 +1,2 @@
+
# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
index a9ce68e..31be971 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
-## Rshd, rlogind, and telnetd.
+## Policy for rshd, rlogind, and telnetd.
########################################
##
@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',`
type remote_login_t;
')
- corecmd_search_bin($1)
auth_domtrans_login_program($1, remote_login_t)
')
########################################
##
-## Send generic signals to remote login.
+## allow Domain to signal remote login domain.
##
##
##
@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
allow $1 remote_login_t:process signal;
')
-
-########################################
-##
-## Create, read, write, and delete
-## remote login temporary content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`remotelogin_manage_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir manage_dir_perms;
- allow $1 remote_login_tmp_t:file manage_file_perms;
-')
-
-########################################
-##
-## Relabel remote login temporary content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`remotelogin_relabel_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
- allow $1 remote_login_tmp_t:file relabel_file_perms;
-')
diff --git a/remotelogin.te b/remotelogin.te
index ae30871..43fd6e8 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t)
auth_login_pgm_domain(remote_login_t)
auth_login_entry_type(remote_login_t)
-type remote_login_tmp_t;
-files_tmp_file(remote_login_tmp_t)
-
########################################
#
-# Local policy
+# Remote login remote policy
#
allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
allow remote_login_t self:unix_dgram_socket sendto;
-allow remote_login_t self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctls(remote_login_t)
dev_getattr_mouse_dev(remote_login_t)
dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
term_use_all_ptys(remote_login_t)
term_setattr_all_ptys(remote_login_t)
-auth_manage_pam_console_data(remote_login_t)
-auth_domtrans_pam_console(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
corecmd_list_bin(remote_login_t)
corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
domain_read_all_entry_files(remote_login_t)
files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
-files_read_usr_files(remote_login_t)
files_list_world_readable(remote_login_t)
files_read_world_readable_files(remote_login_t)
files_read_world_readable_symlinks(remote_login_t)
files_read_world_readable_pipes(remote_login_t)
files_read_world_readable_sockets(remote_login_t)
files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
-miscfiles_read_localization(remote_login_t)
+auth_use_nsswitch(remote_login_t)
+
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
- fs_read_nfs_symlinks(remote_login_t)
-')
+userdom_manage_user_tmp_dirs(remote_login_t)
+userdom_manage_user_tmp_files(remote_login_t)
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(remote_login_t)
- fs_read_cifs_symlinks(remote_login_t)
-')
+userdom_home_reader(remote_login_t)
optional_policy(`
alsa_domtrans(remote_login_t)
')
optional_policy(`
+ # Search for mail spool file.
mta_getattr_spool(remote_login_t)
')
diff --git a/resmgr.te b/resmgr.te
index f6eb358..e4fc73d 100644
--- a/resmgr.te
+++ b/resmgr.te
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
domain_use_interactive_fds(resmgrd_t)
-files_read_etc_files(resmgrd_t)
fs_search_auto_mountpoints(resmgrd_t)
@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t)
logging_send_syslog_msg(resmgrd_t)
-miscfiles_read_localization(resmgrd_t)
-
userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
index 5421af0..91e69b8 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
@@ -1,12 +1,22 @@
-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
index 1c2f9aa..a4133dc 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
-## Resource Group Manager.
+## rgmanager - Resource Group Manager
#######################################
##
## Execute a domain transition to run rgmanager.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`rgmanager_domtrans',`
@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',`
########################################
##
-## Connect to rgmanager with a unix
-## domain stream socket.
+## Connect to rgmanager over a unix stream socket.
##
##
##
@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
')
+########################################
+##
+## Manage rgmanager pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_manage_pid_files',`
+ gen_require(`
+ type rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
+')
+
######################################
##
-## Create, read, write, and delete
-## rgmanager tmp files.
+## Allow manage rgmanager tmp files.
##
##
##
@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
######################################
##
-## Create, read, write, and delete
-## rgmanager tmpfs files.
+## Allow manage rgmanager tmpfs files.
##
##
##
@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
+#######################################
+##
+## Allow read and write access to rgmanager semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
######################################
##
-## All of the rules required to
-## administrate an rgmanager environment.
+## All of the rules required to administrate
+## an rgmanager environment
##
##
##
@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the rgmanager domain.
##
##
##
@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
- allow $1 rgmanager_t:process { ptrace signal_perms };
+ allow $1 rgmanager_t:process signal_perms;
ps_process_pattern($1, rgmanager_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rgmanager_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
+
+
+######################################
+##
+## Allow the specified domain to manage rgmanager's lib/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_manage_files',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ type rgmanager_var_run_t;
+ ')
+
+ files_list_var_lib($1)
+ admin_pattern($1, rgmanager_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
+
+######################################
+##
+## Allow the specified domain to execute rgmanager's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_execute_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
+
+######################################
+##
+## Allow the specified domain to search rgmanager's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_search_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
index c8a1e16..2d409bf 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
#
##
-##
-## Determine whether rgmanager can
-## connect to the network using TCP.
-##
+##
+## Allow rgmanager domain to connect to the network using TCP.
+##
##
gen_tunable(rgmanager_can_network_connect, false)
@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t)
type rgmanager_tmpfs_t;
files_tmpfs_file(rgmanager_tmpfs_t)
+type rgmanager_var_lib_t;
+files_type(rgmanager_var_lib_t)
+
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t)
########################################
#
-# Local policy
+# rgmanager local policy
#
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
allow rgmanager_t self:process { setsched signal };
+
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
-allow rgmanager_t self:unix_stream_socket { accept listen };
-allow rgmanager_t self:tcp_socket { accept listen };
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
+# var/lib files
+# # needed by hearbeat
+can_exec(rgmanager_t, rgmanager_var_lib_t)
+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
+
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
+kernel_kill(rgmanager_t)
kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
kernel_search_network_state(rgmanager_t)
-corenet_all_recvfrom_unlabeled(rgmanager_t)
-corenet_all_recvfrom_netlabel(rgmanager_t)
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
-
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
+# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
dev_setattr_dlm_control(rgmanager_t)
dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
files_manage_isid_type_dirs(rgmanager_t)
-files_read_non_security_files(rgmanager_t)
+fs_getattr_xattr_fs(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
storage_raw_read_fixed_disk(rgmanager_t)
+storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
+# needed by resources scripts
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
init_domtrans_script(rgmanager_t)
+init_initrc_domain(rgmanager_t)
logging_send_syslog_msg(rgmanager_t)
-miscfiles_read_localization(rgmanager_t)
+userdom_kill_all_users(rgmanager_t)
tunable_policy(`rgmanager_can_network_connect',`
- corenet_sendrecv_all_client_packets(rgmanager_t)
corenet_tcp_connect_all_ports(rgmanager_t)
- corenet_tcp_sendrecv_all_ports(rgmanager_t)
')
+# rgmanager can run resource scripts
optional_policy(`
aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
')
optional_policy(`
- consoletype_exec(rgmanager_t)
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
')
optional_policy(`
- corosync_stream_connect(rgmanager_t)
+ consoletype_exec(rgmanager_t)
')
optional_policy(`
- apache_domtrans(rgmanager_t)
- apache_signal(rgmanager_t)
+ dbus_system_bus_client(rgmanager_t)
')
optional_policy(`
@@ -130,7 +150,6 @@ optional_policy(`
optional_policy(`
rhcs_stream_connect_groupd(rgmanager_t)
- rhcs_stream_connect_gfs_controld(rgmanager_t)
')
optional_policy(`
@@ -140,6 +159,7 @@ optional_policy(`
optional_policy(`
ccs_manage_config(rgmanager_t)
ccs_stream_connect(rgmanager_t)
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
')
optional_policy(`
@@ -147,6 +167,12 @@ optional_policy(`
')
optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
+ ldap_systemctl(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
+optional_policy(`
mount_domtrans(rgmanager_t)
')
@@ -174,12 +200,18 @@ optional_policy(`
')
optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+ rpc_systemctl_nfsd(rgmanager_t)
+ rpc_systemctl_rpcd(rgmanager_t)
+
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
rpc_manage_nfs_state_data(rgmanager_t)
')
optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
samba_domtrans_smbd(rgmanager_t)
samba_domtrans_nmbd(rgmanager_t)
samba_manage_var_files(rgmanager_t)
@@ -201,5 +233,9 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
index 47de2d6..98a4280 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -1,31 +1,85 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0)
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/log/cluster/.*\.*log <>
+/var/log/cluster/.*\.*log <>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+
+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+
+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index c8bdea2..2e4d698 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
-## Red Hat Cluster Suite.
+## RHCS - Red Hat Cluster Suite
#######################################
##
-## The template to define a rhcs domain.
+## Creates types and rules for a basic
+## rhcs init daemon domain.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
template(`rhcs_domain_template',`
gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
+ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
')
##############################
@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
- ')
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
')
######################################
##
-## Execute a domain transition to
-## run dlm_controld.
+## Execute a domain transition to run dlm_controld.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`rhcs_domtrans_dlm_controld',`
@@ -83,27 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',`
#####################################
##
-## Get attributes of fenced
-## executable files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`rhcs_getattr_fenced_exec_files',`
- gen_require(`
- type fenced_exec_t;
- ')
-
- allow $1 fenced_exec_t:file getattr_file_perms;
-')
-
-#####################################
-##
-## Connect to dlm_controld with a
-## unix domain stream socket.
+## Connect to dlm_controld over a unix domain
+## stream socket.
##
##
##
@@ -122,7 +97,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
#####################################
##
-## Read and write dlm_controld semaphores.
+## Allow read and write access to dlm_controld semaphores.
##
##
##
@@ -160,9 +135,27 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
+#####################################
+##
+## Allow a domain to getattr on fenced executable.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_getattr_fenced',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ allow $1 fenced_exec_t:file getattr;
+')
+
######################################
##
-## Read and write fenced semaphores.
+## Allow read and write access to fenced semaphores.
##
##
##
@@ -181,10 +174,9 @@ interface(`rhcs_rw_fenced_semaphores',`
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
-####################################
+######################################
##
-## Connect to all cluster domains
-## with a unix domain stream socket.
+## Read fenced PID files.
##
##
##
@@ -192,19 +184,18 @@ interface(`rhcs_rw_fenced_semaphores',`
##
##
#
-interface(`rhcs_stream_connect_cluster',`
+interface(`rhcs_read_fenced_pid_files',`
gen_require(`
- attribute cluster_domain, cluster_pid;
+ type fenced_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
')
######################################
##
-## Connect to fenced with an unix
-## domain stream socket.
+## Connect to fenced over a unix domain stream socket.
##
##
##
@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',`
#####################################
##
-## Execute a domain transition
-## to run gfs_controld.
+## Execute a domain transition to run gfs_controld.
##
##
##
@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',`
####################################
##
-## Read and write gfs_controld semaphores.
+## Allow read and write access to gfs_controld semaphores.
##
##
##
@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
########################################
##
-## Read and write gfs_controld_t shared memory.
+## Read and write to gfs_controld_t shared memory.
##
##
##
@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
##
-## Connect to gfs_controld_t with
-## a unix domain stream socket.
+## Connect to gfs_controld_t over a unix domain stream socket.
##
##
##
@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',`
#####################################
##
-## Connect to groupd with a unix
-## domain stream socket.
+## Connect to groupd over a unix domain
+## stream socket.
##
##
##
@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
+#####################################
+##
+## Allow read and write access to groupd semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_groupd_semaphores',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+##
+## Read and write to group shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_groupd_shm',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
########################################
##
-## Read and write all cluster domains
-## shared memory.
+## Read and write to group shared memory.
##
##
##
@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
####################################
##
-## Read and write all cluster
-## domains semaphores.
+## Read and write access to cluster domains semaphores.
##
##
##
@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
-#####################################
+####################################
##
-## Read and write groupd semaphores.
+## Connect to cluster domains over a unix domain
+## stream socket.
##
##
##
@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
##
##
#
-interface(`rhcs_rw_groupd_semaphores',`
+interface(`rhcs_stream_connect_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain, cluster_pid;
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
')
-########################################
+#####################################
##
-## Read and write groupd shared memory.
+## Connect to cluster domains over a unix domain
+## stream socket.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## Domain allowed access.
+##
+##
#
-interface(`rhcs_rw_groupd_shm',`
+interface(`rhcs_stream_connect_cluster_to',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain;
+ attribute cluster_pid;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
')
######################################
@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
##
-## All of the rules required to
-## administrate an rhcs environment.
+## Allow domain to read qdiskd tmpfs files
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+ gen_require(`
+ type qdiskd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
+
+######################################
+##
+## Allow domain to read cluster lib files
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`rhcs_admin',`
+interface(`rhcs_read_cluster_lib_files',`
gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
- type fenced_tmp_t, qdiskd_var_lib_t;
+ type cluster_var_lib_t;
')
- allow $1 cluster_domain:process { ptrace signal_perms };
- ps_process_pattern($1, cluster_domain)
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
+
+#####################################
+##
+## Allow domain to manage cluster lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_manage_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- files_search_pids($1)
- admin_pattern($1, cluster_pid)
+####################################
+##
+## Allow domain to relabel cluster lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_relabel_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
- files_search_locks($1)
- admin_pattern($1, fenced_lock_t)
+######################################
+##
+## Execute a domain transition to run cluster administrative domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_cluster',`
+ gen_require(`
+ type cluster_t, cluster_exec_t;
+ ')
- files_search_tmp($1)
- admin_pattern($1, fenced_tmp_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
- files_search_var_lib($1)
- admin_pattern($1, qdiskd_var_lib_t)
+#######################################
+##
+## Execute cluster init scripts in
+## the init script domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_initrc_domtrans_cluster',`
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
- fs_search_tmpfs($1)
- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
+#####################################
+##
+## Execute cluster in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_exec_cluster',`
+ gen_require(`
+ type cluster_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, cluster_exec_t)
+')
+
+######################################
+##
+## Read cluster log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_read_log_cluster',`
+ gen_require(`
+ type cluster_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
+ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
+')
+
+######################################
+##
+## Setattr cluster log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_setattr_log_cluster',`
+ gen_require(`
+ type cluster_var_log_t;
+ ')
+
+ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
+')
+
+#####################################
+##
+## Allow the specified domain to read/write inherited cluster's tmpf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_inherited_cluster_tmp_files',`
+ gen_require(`
+ type cluster_tmp_t;
+ ')
+
+ allow $1 cluster_tmp_t:file rw_inherited_file_perms;
+')
+
+#####################################
+##
+## Allow manage cluster tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_manage_cluster_tmp_files',`
+ gen_require(`
+ type cluster_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
+')
+
+#####################################
+##
+## Allow the specified domain to read/write cluster's tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_cluster_tmpfs',`
+ gen_require(`
+ type cluster_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
+##
+## Allow manage cluster tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_manage_cluster_tmpfs_files',`
+ gen_require(`
+ type cluster_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
+##
+## Allow read cluster pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_read_cluster_pid_files',`
+ gen_require(`
+ type cluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+
+#####################################
+##
+## Allow manage cluster pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_manage_cluster_pid_files',`
+ gen_require(`
+ type cluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+#######################################
+##
+## Execute cluster server in the cluster domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_systemctl_cluster',`
+ gen_require(`
+ type cluster_t;
+ type cluster_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 cluster_unit_file_t:file read_file_perms;
+ allow $1 cluster_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cluster_t)
+')
+
+#####################################
+##
+## All of the rules required to administrate
+## an cluster environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the rgmanager domain.
+##
+##
+##
+#
+interface(`rhcs_admin_cluster',`
+ gen_require(`
+ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
+ type cluster_unit_file_t;
+ ')
+
+ allow $1 cluster_t:process signal_perms;
+ ps_process_pattern($1, cluster_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cluster_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cluster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cluster_tmp_t)
+
+ admin_pattern($1, cluster_tmpfs_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, cluster_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cluster_var_run_t)
- logging_search_logs($1)
- admin_pattern($1, cluster_log)
+ rhcs_systemctl_cluster($1)
+ admin_pattern($1, cluster_unit_file_t)
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c4..65c88c9 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
##
gen_tunable(fenced_can_ssh, false)
+##
+##
+## Allow cluster administrative domains to connect to the network using TCP.
+##
+##
+gen_tunable(cluster_can_network_connect, false)
+
+##
+##
+## Allow cluster administrative domains to manage all files on a system.
+##
+##
+gen_tunable(cluster_manage_all_files, false)
+
+##
+##
+## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
+##
+##
+gen_tunable(cluster_use_execmem, false)
+
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
+rhcs_domain_template(haproxy)
+
+type haproxy_var_lib_t;
+files_type(haproxy_var_lib_t)
+
+type haproxy_unit_file_t;
+systemd_unit_file(haproxy_unit_file_t)
+
rhcs_domain_template(groupd)
rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
+# cluster_t is a new domain for administrative generic cluster services
+# (rgmanager, corosync, hearbeat, cman, pacemaker)
+rhcs_domain_template(cluster)
+
+typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
+typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t };
+typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t };
+typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t };
+typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
+
+type cluster_initrc_exec_t;
+typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t };
+init_script_file(cluster_initrc_exec_t)
+
+type cluster_tmp_t;
+typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t };
+files_tmp_file(cluster_tmp_t)
+
+type cluster_var_lib_t;
+typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t };
+files_type(cluster_var_lib_t)
+
+type cluster_unit_file_t;
+typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t };
+systemd_unit_file(cluster_unit_file_t)
+
#####################################
#
# Common cluster domains local policy
#
allow cluster_domain self:capability sys_nice;
-allow cluster_domain self:process setsched;
+allow cluster_domain self:process { signal setsched };
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
-logging_send_syslog_msg(cluster_domain)
+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
+manage_files_pattern(cluster_domain, cluster_log, cluster_log)
+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
-miscfiles_read_localization(cluster_domain)
+tunable_policy(`cluster_use_execmem',`
+ allow cluster_domain self:process execmem;
+')
optional_policy(`
ccs_stream_connect(cluster_domain)
')
optional_policy(`
- corosync_stream_connect(cluster_domain)
+ dbus_system_bus_client(cluster_domain)
+')
+
+#####################################
+#
+# cluster domain local policy
+#
+
+allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
+# for hearbeat
+allow cluster_t self:capability { net_raw chown };
+allow cluster_t self:capability2 block_suspend;
+allow cluster_t self:process { setpgid setrlimit setsched signull };
+
+allow cluster_t self:tcp_socket create_stream_socket_perms;
+allow cluster_t self:shm create_shm_perms;
+
+manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
+manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
+files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir })
+
+can_exec(cluster_t, cluster_var_lib_t)
+manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file })
+
+can_exec(cluster_t, cluster_exec_t)
+
+kernel_kill(cluster_t)
+kernel_read_all_sysctls(cluster_t)
+kernel_read_system_state(cluster_t)
+kernel_rw_rpc_sysctls(cluster_t)
+kernel_search_debugfs(cluster_t)
+kernel_search_network_state(cluster_t)
+
+corecmd_exec_bin(cluster_t)
+corecmd_exec_shell(cluster_t)
+
+corenet_all_recvfrom_unlabeled(cluster_t)
+corenet_all_recvfrom_netlabel(cluster_t)
+corenet_udp_sendrecv_generic_if(cluster_t)
+corenet_udp_sendrecv_generic_node(cluster_t)
+corenet_udp_bind_generic_node(cluster_t)
+
+corenet_sendrecv_netsupport_server_packets(cluster_t)
+corenet_udp_bind_netsupport_port(cluster_t)
+corenet_udp_sendrecv_netsupport_port(cluster_t)
+
+corenet_sendrecv_cluster_server_packets(cluster_t)
+corenet_udp_bind_cluster_port(cluster_t)
+corenet_udp_sendrecv_cluster_port(cluster_t)
+
+# need to write to /dev/misc/dlm-contro
+dev_rw_dlm_control(cluster_t)
+dev_setattr_dlm_control(cluster_t)
+dev_read_sysfs(cluster_t)
+dev_read_rand(cluster_t)
+dev_read_urand(cluster_t)
+
+domain_read_all_domains_state(cluster_t)
+
+fs_getattr_xattr_fs(cluster_t)
+fs_getattr_all_fs(cluster_t)
+
+storage_raw_read_fixed_disk(cluster_t)
+
+term_getattr_pty_fs(cluster_t)
+
+files_manage_mounttab(cluster_t)
+# needed by resources scripts
+files_read_non_security_files(cluster_t)
+auth_dontaudit_getattr_shadow(cluster_t)
+
+init_domtrans_script(cluster_t)
+init_initrc_domain(cluster_t)
+init_read_script_state(cluster_t)
+init_rw_script_tmp_files(cluster_t)
+init_manage_script_status_files(cluster_t)
+
+userdom_read_user_tmp_files(cluster_t)
+userdom_delete_user_tmpfs_files(cluster_t)
+userdom_rw_user_tmpfs_files(cluster_t)
+userdom_kill_all_users(cluster_t)
+
+tunable_policy(`cluster_can_network_connect',`
+ corenet_tcp_connect_all_ports(cluster_t)
+')
+
+# we need to have dirs created with var_run_t in /run/cluster
+files_create_var_run_dirs(cluster_t)
+
+tunable_policy(`cluster_manage_all_files',`
+ files_getattr_all_symlinks(cluster_t)
+ files_list_all(cluster_t)
+ files_manage_mnt_dirs(cluster_t)
+ files_manage_mnt_files(cluster_t)
+ files_manage_mnt_symlinks(cluster_t)
+ files_manage_isid_type_files(cluster_t)
+ files_manage_isid_type_dirs(cluster_t)
+ fs_manage_tmpfs_files(cluster_t)
+')
+
+optional_policy(`
+ ccs_read_config(cluster_t)
+')
+
+optional_policy(`
+ cmirrord_rw_shm(cluster_t)
+')
+
+optional_policy(`
+ consoletype_exec(cluster_t)
+')
+
+optional_policy(`
+ lvm_domtrans(cluster_t)
+ lvm_rw_clvmd_tmpfs_files(cluster_t)
+ lvm_delete_clvmd_tmpfs_files(cluster_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cluster_t)
+')
+
+
+optional_policy(`
+ hostname_exec(cluster_t)
+')
+
+optional_policy(`
+ ccs_manage_config(cluster_t)
+ ccs_stream_connect(cluster_t)
+')
+
+optional_policy(`
+ ldap_systemctl(cluster_t)
+')
+
+optional_policy(`
+ mount_domtrans(cluster_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(cluster_t)
+ mysql_stream_connect(cluster_t)
+')
+
+optional_policy(`
+ netutils_domtrans(cluster_t)
+ netutils_domtrans_ping(cluster_t)
+')
+
+optional_policy(`
+ postgresql_signal(cluster_t)
+')
+
+optional_policy(`
+ rhcs_getattr_fenced(cluster_t)
+ rhcs_rw_cluster_shm(cluster_t)
+ rhcs_rw_cluster_semaphores(cluster_t)
+ rhcs_stream_connect_cluster(cluster_t)
+ rhcs_relabel_cluster_lib_files(cluster_t)
+')
+
+optional_policy(`
+ rdisc_exec(cluster_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(cluster_t)
+')
+
+optional_policy(`
+ rpc_systemctl_nfsd(cluster_t)
+ rpc_systemctl_rpcd(cluster_t)
+
+ rpc_domtrans_nfsd(cluster_t)
+ rpc_domtrans_rpcd(cluster_t)
+ rpc_manage_nfs_state_data(cluster_t)
+')
+
+optional_policy(`
+ samba_manage_var_files(cluster_t)
+ samba_rw_config(cluster_t)
+ samba_signal_smbd(cluster_t)
+ samba_signal_nmbd(cluster_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cluster_t)
+')
+
+optional_policy(`
+ udev_read_db(cluster_t)
+')
+
+optional_policy(`
+ virt_stream_connect(cluster_t)
+')
+
+optional_policy(`
+ unconfined_domain(cluster_t)
+')
+
+optional_policy(`
+ wdmd_rw_tmpfs(cluster_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(cluster_t)
')
#####################################
@@ -79,9 +349,11 @@ optional_policy(`
# dlm_controld local policy
#
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
+
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
+logging_send_syslog_msg(dlm_controld_t)
+
+optional_policy(`
+ corosync_rw_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(dlm_controld_t)
+')
+
#######################################
#
# fenced local policy
#
allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
allow fenced_t self:unix_stream_socket connectto;
+can_exec(fenced_t, fenced_exec_t)
+
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-can_exec(fenced_t, fenced_exec_t)
-
kernel_read_system_state(fenced_t)
+kernel_read_network_state(fenced_t)
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
-
-files_read_usr_files(fenced_t)
-files_read_usr_symlinks(fenced_t)
+dev_read_rand(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
-auth_use_nsswitch(fenced_t)
+logging_send_syslog_msg(fenced_t)
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
@@ -182,7 +465,8 @@ optional_policy(`
')
optional_policy(`
- corosync_exec(fenced_t)
+ rhcs_exec_cluster(fenced_t)
+ rhcs_rw_cluster_tmpfs(fenced_t)
')
optional_policy(`
@@ -190,12 +474,12 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(fenced_t)
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
')
optional_policy(`
- lvm_domtrans(fenced_t)
- lvm_read_config(fenced_t)
+ sanlock_domtrans(fenced_t)
')
optional_policy(`
@@ -203,6 +487,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
+optional_policy(`
+ virt_domtrans(fenced_t)
+ virt_read_config(fenced_t)
+ virt_read_pid_files(fenced_t)
+ virt_stream_connect(fenced_t)
+')
+
#######################################
#
# foghorn local policy
@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
+corenet_tcp_connect_snmp_port(foghorn_t)
+
dev_read_urand(foghorn_t)
-files_read_usr_files(foghorn_t)
+logging_send_syslog_msg(foghorn_t)
optional_policy(`
dbus_connect_system_bus(foghorn_t)
')
optional_policy(`
- snmp_read_snmp_var_lib_files(foghorn_t)
+ snmp_manage_var_lib_files(foghorn_t)
snmp_stream_connect(foghorn_t)
')
@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
+logging_send_syslog_msg(gfs_controld_t)
+
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
-files_read_etc_files(groupd_t)
-
init_rw_script_tmp_files(groupd_t)
+logging_send_syslog_msg(groupd_t)
+
+########################################
+#
+# haproxy local policy
+#
+
+# bug in haproxy and process vs pid owner
+allow haproxy_t self:capability dac_override;
+
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
+allow haproxy_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
+
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+
######################################
#
# qdiskd local policy
@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
+logging_send_syslog_msg(qdiskd_t)
+
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
index 0000000..4b66adf
--- /dev/null
+++ b/rhev.fc
@@ -0,0 +1,13 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
+/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/rhev.if b/rhev.if
new file mode 100644
index 0000000..bf11e25
--- /dev/null
+++ b/rhev.if
@@ -0,0 +1,76 @@
+## rhev polic module contains policies for rhev apps
+
+#####################################
+##
+## Execute rhev-agentd in the rhev_agentd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhev_domtrans_agentd',`
+ gen_require(`
+ type rhev_agentd_t, rhev_agentd_exec_t;
+ ')
+
+ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
+')
+
+####################################
+##
+## Read rhev-agentd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhev_read_pid_files_agentd',`
+ gen_require(`
+ type rhev_agentd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+')
+
+#####################################
+##
+## Connect to rhev_agentd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhev_stream_connect_agentd',`
+ gen_require(`
+ type rhev_agentd_var_run_t, rhev_agentd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
+')
+
+######################################
+##
+## Send sigchld to rhev-agentd
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`rhev_sigchld_agentd',`
+ gen_require(`
+ type rhev_agentd_t;
+ ')
+
+ allow $1 rhev_agentd_t:process sigchld;
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
index 0000000..26f7884
--- /dev/null
+++ b/rhev.te
@@ -0,0 +1,116 @@
+policy_module(rhev,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhev_agentd_t;
+type rhev_agentd_exec_t;
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
+
+type rhev_agentd_unit_file_t;
+systemd_unit_file(rhev_agentd_unit_file_t)
+
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
+type rhev_agentd_log_t;
+logging_log_file(rhev_agentd_log_t)
+
+########################################
+#
+# rhev_agentd_t local policy
+#
+
+allow rhev_agentd_t self:capability { setuid setgid sys_nice };
+allow rhev_agentd_t self:process setsched;
+
+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
+logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
+
+kernel_read_system_state(rhev_agentd_t)
+kernel_read_kernel_sysctls(rhev_agentd_t)
+
+corecmd_exec_bin(rhev_agentd_t)
+corecmd_exec_shell(rhev_agentd_t)
+
+dev_read_urand(rhev_agentd_t)
+
+term_use_virtio_console(rhev_agentd_t)
+
+fs_getattr_all_fs(rhev_agentd_t)
+
+files_getattr_all_mountpoints(rhev_agentd_t)
+files_search_all_mountpoints(rhev_agentd_t)
+
+auth_use_nsswitch(rhev_agentd_t)
+
+init_read_utmp(rhev_agentd_t)
+
+libs_exec_ldconfig(rhev_agentd_t)
+logging_send_syslog_msg(rhev_agentd_t)
+
+optional_policy(`
+ rpm_read_db(rhev_agentd_t)
+ rpm_dontaudit_manage_db(rhev_agentd_t)
+')
+
+optional_policy(`
+ ssh_signull(rhev_agentd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rhev_agentd_t)
+ dbus_connect_system_bus(rhev_agentd_t)
+ dbus_session_bus_client(rhev_agentd_t)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(rhev_agentd_t)
+ xserver_stream_connect(rhev_agentd_t)
+')
+
+######################################
+#
+# rhev_agentd_t consolehelper local policy
+#
+
+optional_policy(`
+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+
+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
+ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
+
+ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
+ kernel_read_system_state(rhev_agentd_consolehelper_t)
+
+ term_use_virtio_console(rhev_agentd_consolehelper_t)
+
+ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
+
+ optional_policy(`
+ dbus_session_bus_client(rhev_agentd_consolehelper_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
+ ')
+')
diff --git a/rhgb.if b/rhgb.if
index 1a134a7..793a29f 100644
--- a/rhgb.if
+++ b/rhgb.if
@@ -1,4 +1,4 @@
-## Red Hat Graphical Boot.
+## Red Hat Graphical Boot
########################################
##
@@ -18,7 +18,7 @@ interface(`rhgb_stub',`
########################################
##
-## Inherit and use rhgb file descriptors.
+## Use a rhgb file descriptor.
##
##
##
@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',`
########################################
##
-## Send generic signals to rhgb.
+## Send a signal to rhgb.
##
##
##
@@ -72,8 +72,7 @@ interface(`rhgb_signal',`
########################################
##
-## Read and write inherited rhgb unix
-## domain stream sockets.
+## Read and write to unix stream sockets.
##
##
##
@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
########################################
##
-## Connected to rhgb with a unix
-## domain stream socket.
+## Connected to rhgb unix stream socket.
##
##
##
@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
#
interface(`rhgb_stream_connect',`
gen_require(`
- type rhgb_t, rhgb_tmpfs_t;
+ type rhgb_t;
')
- fs_search_tmpfs($1)
- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t)
+ allow $1 rhgb_t:unix_stream_socket connectto;
')
########################################
@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',`
########################################
##
-## Read and write rhgb pty devices.
+## Read from and write to the rhgb devpts.
##
##
##
@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',`
type rhgb_devpts_t;
')
- dev_list_all_dev_nodes($1)
allow $1 rhgb_devpts_t:chr_file rw_term_perms;
')
########################################
##
-## Do not audit attempts to read and
-## write rhgb pty devices.
+## dontaudit Read from and write to the rhgb devpts.
##
##
##
@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',`
########################################
##
-## Read and write to rhgb tmpfs files.
+## Read and write to rhgb temporary file system.
##
##
##
@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
-
fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
diff --git a/rhgb.te b/rhgb.te
index 3f32e4b..f97ea42 100644
--- a/rhgb.te
+++ b/rhgb.te
@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
-corenet_all_recvfrom_unlabeled(rhgb_t)
corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_tcp_sendrecv_generic_node(rhgb_t)
@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t)
domain_use_interactive_fds(rhgb_t)
-files_read_etc_files(rhgb_t)
files_read_var_files(rhgb_t)
files_read_etc_runtime_files(rhgb_t)
files_search_tmp(rhgb_t)
-files_read_usr_files(rhgb_t)
files_mounton_mnt(rhgb_t)
files_dontaudit_rw_root_dir(rhgb_t)
files_dontaudit_read_default_files(rhgb_t)
@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t)
logging_send_syslog_msg(rhgb_t)
-miscfiles_read_localization(rhgb_t)
miscfiles_read_fonts(rhgb_t)
miscfiles_dontaudit_write_fonts(rhgb_t)
diff --git a/rhnsd.fc b/rhnsd.fc
new file mode 100644
index 0000000..1936028
--- /dev/null
+++ b/rhnsd.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
+
+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
+
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
index 0000000..88087b7
--- /dev/null
+++ b/rhnsd.if
@@ -0,0 +1,74 @@
+## policy for rhnsd
+
+########################################
+##
+## Transition to rhnsd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhnsd_domtrans',`
+ gen_require(`
+ type rhnsd_t, rhnsd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
+')
+
+########################################
+##
+## Execute rhnsd server in the rhnsd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhnsd_initrc_domtrans',`
+ gen_require(`
+ type rhnsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an rhnsd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`rhnsd_admin',`
+ gen_require(`
+ type rhnsd_t;
+ type rhnsd_initrc_exec_t;
+ ')
+
+ allow $1 rhnsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rhnsd_t)
+
+ rhnsd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhnsd_initrc_exec_t system_r;
+ allow $2 system_r;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
index 0000000..0e965c3
--- /dev/null
+++ b/rhnsd.te
@@ -0,0 +1,40 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhnsd_t;
+type rhnsd_exec_t;
+init_daemon_domain(rhnsd_t, rhnsd_exec_t)
+
+type rhnsd_var_run_t;
+files_pid_file(rhnsd_var_run_t)
+
+type rhnsd_initrc_exec_t;
+init_script_file(rhnsd_initrc_exec_t)
+
+########################################
+#
+# rhnsd local policy
+#
+
+allow rhnsd_t self:capability { kill };
+allow rhnsd_t self:process { fork signal };
+allow rhnsd_t self:fifo_file rw_fifo_file_perms;
+allow rhnsd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
+corecmd_exec_bin(rhnsd_t)
+
+
+logging_send_syslog_msg(rhnsd_t)
+
+optional_policy(`
+ # execute rhn_check
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
index 6dbc905..78746ef 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
-## Subscription Management Certificate Daemon.
+## Subscription Management Certificate Daemon policy
########################################
##
-## Execute rhsmcertd in the rhsmcertd domain.
+## Transition to rhsmcertd.
##
##
##
@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',`
########################################
##
-## Execute rhsmcertd init scripts
-## in the initrc domain.
+## Execute rhsmcertd server in the rhsmcertd domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',`
########################################
##
-## Read rhsmcertd log files.
+## Read rhsmcertd's log files.
##
##
##
@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',`
########################################
##
-## Append rhsmcertd log files.
+## Append to rhsmcertd log files.
##
##
##
@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',`
########################################
##
-## Create, read, write, and delete
-## rhsmcertd log files.
+## Manage rhsmcertd log files
##
##
##
@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',`
type rhsmcertd_var_lib_t;
')
- files_search_var_lib($1)
allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',`
########################################
##
-## Create, read, write, and delete
-## rhsmcertd lib files.
+## Manage rhsmcertd lib files.
##
##
##
@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',`
########################################
##
-## Create, read, write, and delete
-## rhsmcertd lib directories.
+## Manage rhsmcertd lib directories.
##
##
##
@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',`
########################################
##
-## Read rhsmcertd pid files.
+## Read rhsmcertd PID files.
##
##
##
@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
allow $1 rhsmcertd_var_run_t:file read_file_perms;
')
-####################################
+########################################
##
-## Connect to rhsmcertd with a
-## unix domain stream socket.
+## Read/wirte inherited lock files.
##
##
##
@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
##
##
#
+interface(`rhsmcertd_rw_inherited_lock_files',`
+ gen_require(`
+ type rhsmcertd_lock_t;
+ ')
+
+ files_search_locks($1)
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
+####################################
+##
+## Connect to rhsmcertd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
interface(`rhsmcertd_stream_connect',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
##
-## Do not audit attempts to send
-## and receive messages from
-## rhsmcertd over dbus.
+## Dontaudit Send and receive messages from
+## rhsmcertd over dbus.
##
##
-##
-## Domain to not audit.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`rhsmcertd_dontaudit_dbus_chat',`
- gen_require(`
- type rhsmcertd_t;
- class dbus send_msg;
- ')
+ gen_require(`
+ type rhsmcertd_t;
+ class dbus send_msg;
+ ')
- dontaudit $1 rhsmcertd_t:dbus send_msg;
- dontaudit rhsmcertd_t $1:dbus send_msg;
+ dontaudit $1 rhsmcertd_t:dbus send_msg;
+ dontaudit rhsmcertd_t $1:dbus send_msg;
')
########################################
##
-## All of the rules required to
-## administrate an rhsmcertd environment.
+## All of the rules required to administrate
+## an rhsmcertd environment
##
##
##
@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
##
##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
#
+
interface(`rhsmcertd_admin',`
gen_require(`
type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t;
+ type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t;
')
- allow $1 rhsmcertd_t:process { ptrace signal_perms };
+ allow $1 rhsmcertd_t:process signal_perms;
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
- logging_search_logs($1)
- admin_pattern($1, rhsmcertd_log_t)
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
+ files_search_locks($1)
+ admin_pattern($1, rhsmcertd_lock_t)
- files_search_locks($1)
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2..73051fc 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
#
allow rhsmcertd_t self:capability sys_nice;
-allow rhsmcertd_t self:process { signal setsched };
+allow rhsmcertd_t self:process { signal_perms setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
@@ -52,23 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+corenet_tcp_connect_http_port(rhsmcertd_t)
+
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
dev_read_sysfs(rhsmcertd_t)
dev_read_rand(rhsmcertd_t)
dev_read_urand(rhsmcertd_t)
+dev_read_raw_memory(rhsmcertd_t)
files_list_tmp(rhsmcertd_t)
-files_read_etc_files(rhsmcertd_t)
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_cert_files(rhsmcertd_t)
+miscfiles_manage_cert_dirs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
optional_policy(`
+ dmidecode_domtrans(rhsmcertd_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(rhsmcertd_t)
+')
+
+optional_policy(`
rpm_read_db(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
--- a/ricci.if
+++ b/ricci.if
@@ -1,13 +1,13 @@
-## Ricci cluster management agent.
+## Ricci cluster management agent
########################################
##
## Execute a domain transition to run ricci.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`ricci_domtrans',`
@@ -15,19 +15,35 @@ interface(`ricci_domtrans',`
type ricci_t, ricci_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
-########################################
+#######################################
##
-## Execute a domain transition to
-## run ricci modcluster.
+## Execute ricci server in the ricci domain.
##
##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ricci_initrc_domtrans',`
+ gen_require(`
+ type ricci_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
+########################################
##
-## Domain allowed to transition.
+## Execute a domain transition to run ricci_modcluster.
##
+##
+##
+## Domain allowed to transition.
+##
##
#
interface(`ricci_domtrans_modcluster',`
@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',`
type ricci_modcluster_t, ricci_modcluster_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
')
########################################
##
## Do not audit attempts to use
-## ricci modcluster file descriptors.
+## ricci_modcluster file descriptors.
##
##
##
@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',`
########################################
##
## Do not audit attempts to read write
-## ricci modcluster unamed pipes.
+## ricci_modcluster unamed pipes.
##
##
##
@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
type ricci_modcluster_t;
')
- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Connect to ricci_modclusterd with
-## a unix domain stream socket.
+## Connect to ricci_modclusterd over a unix stream socket.
##
##
##
@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',`
########################################
##
-## Execute a domain transition to
-## run ricci modlog.
+## Read and write to ricci_modcluserd temporary file system.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ricci_rw_modclusterd_tmpfs_files',`
+ gen_require(`
+ type ricci_modclusterd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+##
+## Execute a domain transition to run ricci_modlog.
##
##
##
@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',`
type ricci_modlog_t, ricci_modlog_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
')
########################################
##
-## Execute a domain transition to
-## run ricci modrpm.
+## Execute a domain transition to run ricci_modrpm.
##
##
##
@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',`
type ricci_modrpm_t, ricci_modrpm_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
')
########################################
##
-## Execute a domain transition to
-## run ricci modservice.
+## Execute a domain transition to run ricci_modservice.
##
##
##
@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',`
type ricci_modservice_t, ricci_modservice_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
')
########################################
##
-## Execute a domain transition to
-## run ricci modstorage.
+## Execute a domain transition to run ricci_modstorage.
##
##
##
@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',`
type ricci_modstorage_t, ricci_modstorage_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
+####################################
+##
+## Allow the specified domain to manage ricci's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ricci_manage_lib_files',`
+ gen_require(`
+ type ricci_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
########################################
##
-## All of the rules required to
-## administrate an ricci environment.
+## All of the rules required to administrate
+## an ricci environment
##
##
##
@@ -200,10 +245,13 @@ interface(`ricci_admin',`
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
')
- allow $1 ricci_t:process { ptrace signal_perms };
+ allow $1 ricci_t:process signal_perms;
ps_process_pattern($1, ricci_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ricci_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ ricci_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
index 0ba2569..64a0237 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
corecmd_exec_bin(ricci_t)
-corenet_all_recvfrom_unlabeled(ricci_t)
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_generic_if(ricci_t)
corenet_tcp_sendrecv_generic_node(ricci_t)
@@ -136,7 +135,6 @@ dev_read_urand(ricci_t)
domain_read_all_domains_state(ricci_t)
-files_read_etc_files(ricci_t)
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t)
logging_send_syslog_msg(ricci_t)
-miscfiles_read_localization(ricci_t)
+systemd_start_power_services(ricci_t)
sysnet_dns_name_resolve(ricci_t)
@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
-miscfiles_read_localization(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
-
optional_policy(`
- aisexec_stream_connect(ricci_modcluster_t)
- corosync_stream_connect(ricci_modcluster_t)
+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
')
optional_policy(`
@@ -271,7 +264,7 @@ optional_policy(`
')
optional_policy(`
- rgmanager_stream_connect(ricci_modcluster_t)
+ rhcs_stream_connect_cluster(ricci_modcluster_t)
')
########################################
@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
-miscfiles_read_localization(ricci_modclusterd_t)
-
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
optional_policy(`
- aisexec_stream_connect(ricci_modclusterd_t)
- corosync_stream_connect(ricci_modclusterd_t)
-')
-
-optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
ccs_read_config(ricci_modclusterd_t)
')
optional_policy(`
- rgmanager_stream_connect(ricci_modclusterd_t)
+ rhcs_stream_connect_cluster(ricci_modclusterd_t)
')
optional_policy(`
@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t)
domain_read_all_domains_state(ricci_modlog_t)
-files_read_etc_files(ricci_modlog_t)
files_search_usr(ricci_modlog_t)
logging_read_generic_logs(ricci_modlog_t)
-miscfiles_read_localization(ricci_modlog_t)
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
-files_read_etc_files(ricci_modrpm_t)
-miscfiles_read_localization(ricci_modrpm_t)
+logging_send_syslog_msg(ricci_modrpm_t)
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
-files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
files_manage_etc_symlinks(ricci_modservice_t)
init_domtrans_script(ricci_modservice_t)
-miscfiles_read_localization(ricci_modservice_t)
+logging_send_syslog_msg(ricci_modservice_t)
optional_policy(`
ccs_read_config(ricci_modservice_t)
@@ -460,7 +442,6 @@ optional_policy(`
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:process { setsched signal };
-dontaudit ricci_modstorage_t self:process ptrace;
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
-files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
+files_create_default_dir(ricci_modstorage_t)
+files_root_filetrans_default(ricci_modstorage_t, dir)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-logging_send_syslog_msg(ricci_modstorage_t)
-
-miscfiles_read_localization(ricci_modstorage_t)
+auth_use_nsswitch(ricci_modstorage_t)
-optional_policy(`
- aisexec_stream_connect(ricci_modstorage_t)
- corosync_stream_connect(ricci_modstorage_t)
-')
+logging_send_syslog_msg(ricci_modstorage_t)
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
diff --git a/rlogin.fc b/rlogin.fc
index f111877..e361ee9 100644
--- a/rlogin.fc
+++ b/rlogin.fc
@@ -1,5 +1,7 @@
-HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
-HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/rlogin.if b/rlogin.if
index 050479d..0e1b364 100644
--- a/rlogin.if
+++ b/rlogin.if
@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',`
##
##
#
-template(`rlogin_read_home_content',`
+interface(`rlogin_read_home_content',`
gen_require(`
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
index ee27948..2a5413a 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
-allow rlogind_t self:tcp_socket { accept listen };
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
@@ -45,7 +47,6 @@ allow rlogind_t rlogind_keytab_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
@@ -56,7 +57,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_all_recvfrom_unlabeled(rlogind_t)
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_tcp_sendrecv_generic_node(rlogind_t)
@@ -73,6 +73,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
+auth_signal_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
@@ -83,29 +84,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
-miscfiles_read_localization(rlogind_t)
-
seutil_read_config(rlogind_t)
userdom_search_user_home_dirs(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_user_home_content_files(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
userdom_use_user_terminals(rlogind_t)
+userdom_home_reader(rlogind_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(rlogind_t)
- fs_read_nfs_files(rlogind_t)
- fs_read_nfs_symlinks(rlogind_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(rlogind_t)
- fs_read_cifs_files(rlogind_t)
- fs_read_cifs_symlinks(rlogind_t)
-')
+rlogin_read_home_content(rlogind_t)
optional_policy(`
kerberos_read_keytab(rlogind_t)
- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
kerberos_manage_host_rcache(rlogind_t)
kerberos_use(rlogind_t)
')
diff --git a/rngd.fc b/rngd.fc
index fa19aa8..90eb481 100644
--- a/rngd.fc
+++ b/rngd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
+
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/rngd.if b/rngd.if
index 13f788f..e01572a 100644
--- a/rngd.if
+++ b/rngd.if
@@ -2,6 +2,28 @@
########################################
##
+## Execute rngd in the rngd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rng_systemctl_rngd',`
+ gen_require(`
+ type rngd_t, rngd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 rngd_unit_file_t:file read_file_perms;
+ allow $1 rngd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rngd_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an rng environment.
##
@@ -17,14 +39,18 @@
##
##
#
-interface(`rngd_admin',`
+interface(`rng_admin',`
gen_require(`
- type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
+ type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
')
- allow $1 rngd_t:process { ptrace signal_perms };
+ allow $1 rngd_t:process signal_perms;
ps_process_pattern($1, rngd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rngd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, rngd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
@@ -32,4 +58,8 @@ interface(`rngd_admin',`
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
+
+ rng_systemctl_rngd($1)
+ admin_pattern($1, rngd_unit_file_t)
+ allow $1 rngd_unit_file_t:service all_service_perms;
')
diff --git a/rngd.te b/rngd.te
index a7b7717..861aa31 100644
--- a/rngd.te
+++ b/rngd.te
@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
type rngd_initrc_exec_t;
init_script_file(rngd_initrc_exec_t)
+type rngd_unit_file_t;
+systemd_unit_file(rngd_unit_file_t)
+
type rngd_var_run_t;
files_pid_file(rngd_var_run_t)
@@ -35,8 +38,5 @@ dev_read_urand(rngd_t)
dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
-files_read_etc_files(rngd_t)
-
logging_send_syslog_msg(rngd_t)
-miscfiles_read_localization(rngd_t)
diff --git a/roundup.if b/roundup.if
index 975bb6a..ce4f5ea 100644
--- a/roundup.if
+++ b/roundup.if
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
type roundup_initrc_exec_t;
')
- allow $1 roundup_t:process { ptrace signal_perms };
+ allow $1 roundup_t:process signal_perms;
ps_process_pattern($1, roundup_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 roundup_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
index ccb5991..189ac01 100644
--- a/roundup.te
+++ b/roundup.te
@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
corecmd_exec_bin(roundup_t)
-corenet_all_recvfrom_unlabeled(roundup_t)
corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_tcp_sendrecv_generic_node(roundup_t)
@@ -60,16 +59,11 @@ dev_read_urand(roundup_t)
domain_use_interactive_fds(roundup_t)
-files_read_etc_files(roundup_t)
-files_read_usr_files(roundup_t)
-
fs_getattr_all_fs(roundup_t)
fs_search_auto_mountpoints(roundup_t)
logging_send_syslog_msg(roundup_t)
-miscfiles_read_localization(roundup_t)
-
sysnet_dns_name_resolve(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
diff --git a/rpc.fc b/rpc.fc
index a6fb30c..b0c22f7 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -1,12 +1,23 @@
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+#
+# /etc
+#
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+#
+# /usr
+#
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -16,7 +27,11 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+#
+# /var
+#
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
index 0bf13c2..d59aef7 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
-## Remote Procedure Call Daemon.
+## Remote Procedure Call Daemon for managment of network based process communication
########################################
##
@@ -20,15 +20,21 @@ interface(`rpc_stub',`
##
## The template to define a rpc domain.
##
-##
+##
+##
+## This template creates a domain to be used for
+## a new rpc daemon.
+##
+##
+##
##
-## Domain prefix to be used.
+## The type of daemon to be used.
##
##
#
template(`rpc_domain_template',`
gen_require(`
- attribute rpc_domain;
+ attribute rpc_domain;
')
########################################
@@ -42,12 +48,19 @@ template(`rpc_domain_template',`
domain_use_interactive_fds($1_t)
- ########################################
+ ####################################
#
- # Policy
+ # Local Policy
#
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+
auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
')
########################################
@@ -66,8 +79,8 @@ interface(`rpc_udp_send',`
########################################
##
-## Do not audit attempts to get
-## attributes of export files.
+## Do not audit attempts to get the attributes
+## of the NFS export file.
##
##
##
@@ -80,12 +93,12 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
- dontaudit $1 exports_t:file getattr;
+ dontaudit $1 exports_t:file getattr_file_perms;
')
########################################
##
-## Read export files.
+## Allow read access to exports.
##
##
##
@@ -103,7 +116,7 @@ interface(`rpc_read_exports',`
########################################
##
-## Write export files.
+## Allow write access to exports.
##
##
##
@@ -116,12 +129,12 @@ interface(`rpc_write_exports',`
type exports_t;
')
- allow $1 exports_t:file write;
+ allow $1 exports_t:file write_file_perms;
')
########################################
##
-## Execute nfsd in the nfsd domain.
+## Execute domain in nfsd domain.
##
##
##
@@ -134,14 +147,12 @@ interface(`rpc_domtrans_nfsd',`
type nfsd_t, nfsd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
')
#######################################
##
-## Execute nfsd init scripts in
-## the initrc domain.
+## Execute domain in nfsd domain.
##
##
##
@@ -159,7 +170,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
##
-## Execute rpcd in the rpcd domain.
+## Execute nfsd server in the nfsd domain.
##
##
##
@@ -167,120 +178,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
##
##
#
-interface(`rpc_domtrans_rpcd',`
+interface(`rpc_systemctl_nfsd',`
gen_require(`
- type rpcd_t, rpcd_exec_t;
+ type nfsd_unit_file_t;
+ type nfsd_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ systemd_exec_systemctl($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nfsd_t)
')
-#######################################
+########################################
##
-## Execute rpcd init scripts in
-## the initrc domain.
+## Send kill signals to rpcd.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
-interface(`rpc_initrc_domtrans_rpcd',`
+interface(`rpc_kill_rpcd',`
gen_require(`
- type rpcd_initrc_exec_t;
+ type rpcd_t;
')
- init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+ allow $1 rpcd_t:process sigkill;
')
########################################
##
-## Read nfs exported content.
+## Execute domain in rpcd domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
#
-interface(`rpc_read_nfs_content',`
+interface(`rpc_domtrans_rpcd',`
gen_require(`
- type nfsd_ro_t, nfsd_rw_t;
+ type rpcd_t, rpcd_exec_t;
')
- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
')
########################################
##
-## Create, read, write, and delete
-## nfs exported read write content.
+## Execute rpcd in the rcpd domain, and
+## allow the specified role the rpcd domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
+##
+##
+## Role allowed access.
+##
+##
##
#
-interface(`rpc_manage_nfs_rw_content',`
+interface(`rpc_run_rpcd',`
gen_require(`
- type nfsd_rw_t;
+ type rpcd_t;
')
- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
')
-########################################
+#######################################
##
-## Create, read, write, and delete
-## nfs exported read only content.
+## Execute domain in rpcd domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
#
-interface(`rpc_manage_nfs_ro_content',`
+interface(`rpc_initrc_domtrans_rpcd',`
gen_require(`
- type nfsd_ro_t;
+ type rpcd_initrc_exec_t;
')
- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
')
########################################
##
-## Read and write to nfsd tcp sockets.
+## Execute rpcd server in the rpcd domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`rpc_tcp_rw_nfs_sockets',`
+interface(`rpc_systemctl_rpcd',`
gen_require(`
- type nfsd_t;
+ type rpcd_unit_file_t;
+ type rpcd_t;
')
- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+ systemd_exec_systemctl($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
')
########################################
##
-## Read and write to nfsd udp sockets.
+## Allow domain to read and write to an NFS UDP socket.
##
##
##
@@ -312,7 +329,7 @@ interface(`rpc_udp_send_nfs',`
########################################
##
-## Search nfs lib directories.
+## Search NFS state data in /var/lib/nfs.
##
##
##
@@ -326,12 +343,12 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
')
########################################
##
-## Read nfs lib files.
+## List NFS state data in /var/lib/nfs.
##
##
##
@@ -339,19 +356,18 @@ interface(`rpc_search_nfs_state_data',`
##
##
#
-interface(`rpc_read_nfs_state_data',`
+interface(`rpc_list_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
- read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
')
########################################
##
-## Create, read, write, and delete
-## nfs lib files.
+## Read NFS state data in /var/lib/nfs.
##
##
##
@@ -359,34 +375,54 @@ interface(`rpc_read_nfs_state_data',`
##
##
#
-interface(`rpc_manage_nfs_state_data',`
+interface(`rpc_read_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
')
########################################
##
-## All of the rules required to
-## administrate an rpc environment.
+## Manage NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
+#
+interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
+')
+
+#######################################
+##
+## All of the rules required to
+## administrate an rpc environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
#
interface(`rpc_admin',`
- gen_require(`
+ gen_require(`
attribute rpc_domain;
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
index 2da9fca..b96da60 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
#
##
-##
-## Determine whether gssd can read
-## generic user temporary content.
-##
+##
+## Allow gssd to list tmp directories and read the kerberos credential cache.
+##
##
-gen_tunable(allow_gssd_read_tmp, false)
+gen_tunable(gssd_read_tmp, true)
##
-##
-## Determine whether nfs can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+##
##
-gen_tunable(allow_nfsd_anon_write, false)
+gen_tunable(nfsd_anon_write, false)
attribute rpc_domain;
@@ -39,21 +37,23 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_file_t;
+systemd_unit_file(rpcd_unit_file_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
-type nfsd_rw_t;
-files_type(nfsd_rw_t)
-
-type nfsd_ro_t;
-files_type(nfsd_ro_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
@@ -71,7 +71,6 @@ allow rpc_domain self:tcp_socket { accept listen };
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
-kernel_read_system_state(rpc_domain)
kernel_read_kernel_sysctls(rpc_domain)
kernel_rw_rpc_sysctls(rpc_domain)
@@ -79,8 +78,6 @@ dev_read_sysfs(rpc_domain)
dev_read_urand(rpc_domain)
dev_read_rand(rpc_domain)
-corenet_all_recvfrom_unlabeled(rpc_domain)
-corenet_all_recvfrom_netlabel(rpc_domain)
corenet_tcp_sendrecv_generic_if(rpc_domain)
corenet_udp_sendrecv_generic_if(rpc_domain)
corenet_tcp_sendrecv_generic_node(rpc_domain)
@@ -108,41 +105,42 @@ files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
files_list_home(rpc_domain)
-logging_send_syslog_msg(rpc_domain)
-
-miscfiles_read_localization(rpc_domain)
-
userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
optional_policy(`
- rpcbind_stream_connect(rpc_domain)
+ rpcbind_stream_connect(rpc_domain)
')
optional_policy(`
- seutil_sigchld_newrole(rpc_domain)
+ seutil_sigchld_newrole(rpc_domain)
')
optional_policy(`
- udev_read_db(rpc_domain)
+ udev_read_db(rpc_domain)
')
########################################
#
-# Local policy
+# RPC local policy
#
allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
allow rpcd_t self:capability2 block_suspend;
+
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
+# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
+kernel_read_system_state(rpcd_t)
kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
@@ -163,13 +161,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
+init_read_utmp(rpcd_t)
+
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_generic_certs(rpcd_t)
-seutil_dontaudit_search_config(rpcd_t)
-
-userdom_signal_all_users(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
@@ -181,19 +180,23 @@ optional_policy(`
')
optional_policy(`
- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
+ quota_manage_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
+ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
+ quota_read_db(rpcd_t)
+')
+
+optional_policy(`
+ rhcs_manage_cluster_tmp_files(rpcd_t)
')
########################################
@@ -202,41 +205,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
allow nfsd_t exports_t:file read_file_perms;
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
-corenet_sendrecv_nfs_server_packets(nfsd_t)
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
corenet_tcp_bind_nfs_port(nfsd_t)
corenet_udp_bind_nfs_port(nfsd_t)
-
-corecmd_exec_shell(nfsd_t)
+corenet_udp_bind_mountd_port(nfsd_t)
+corenet_tcp_bind_mountd_port(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
dev_rw_lvm_control(nfsd_t)
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+fs_mounton_nfsd_fs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
-fs_rw_nfsd_fs(nfsd_t)
-# fs_manage_nfsd_fs(nfsd_t)
+fs_manage_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
+# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-tunable_policy(`allow_nfsd_anon_write',`
+userdom_filetrans_home_content(nfsd_t)
+userdom_list_user_tmp(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- files_manage_non_auth_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- files_list_non_auth_dirs(nfsd_t)
- files_read_non_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
')
optional_policy(`
mount_exec(nfsd_t)
+ mount_manage_pid_files(nfsd_t)
')
########################################
@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
@@ -288,25 +306,29 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
-fs_list_inotifyfs(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-fs_read_nfs_files(gssd_t)
+fs_read_nfsd_files(gssd_t)
+fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
+files_read_usr_symlinks(gssd_t)
files_dontaudit_write_var_dirs(gssd_t)
+auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
+ userdom_manage_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
')
optional_policy(`
@@ -314,9 +336,12 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
kerberos_use(gssd_t)
')
diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9ee..ff1163f 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -1,4 +1,4 @@
-## Universal Addresses to RPC Program Number Mapper.
+## Universal Addresses to RPC Program Number Mapper
########################################
##
@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',`
type rpcbind_t, rpcbind_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
')
########################################
##
-## Connect to rpcbindd with a
-## unix domain stream socket.
+## Connect to rpcbindd over an unix stream socket.
##
##
##
@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',`
########################################
##
-## Read rpcbind pid files.
+## Read rpcbind PID files.
##
##
##
@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',`
type rpcbind_var_lib_t;
')
- files_search_var_lib($1)
allow $1 rpcbind_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',`
type rpcbind_var_lib_t;
')
- files_search_var_lib($1)
read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
')
########################################
@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',`
type rpcbind_var_lib_t;
')
- files_search_var_lib($1)
manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
')
########################################
##
-## Send null signals to rpcbind.
+## Send a null signal to rpcbind.
##
##
##
@@ -136,8 +134,44 @@ interface(`rpcbind_signull',`
########################################
##
-## All of the rules required to
-## administrate an rpcbind environment.
+## Transition to rpcbind named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_filetrans_named_content',`
+ gen_require(`
+ type rpcbind_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
+')
+
+########################################
+##
+## Relabel from rpcbind sock file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_relabel_sock_file',`
+ gen_require(`
+ type rpcbind_var_run_t;
+ ')
+
+ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an rpcbind environment
##
##
##
@@ -146,7 +180,7 @@ interface(`rpcbind_signull',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the rpcbind domain.
##
##
##
@@ -157,17 +191,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
- allow $1 rpcbind_t:process { ptrace signal_perms };
+ allow $1 rpcbind_t:process signal_perms;
ps_process_pattern($1, rpcbind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rpcbind_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, rpcbind_var_run_t)
-
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, rpcbind_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
index 54de77c..cb05fbf 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
-corenet_all_recvfrom_unlabeled(rpcbind_t)
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
@@ -68,7 +67,11 @@ auth_use_nsswitch(rpcbind_t)
logging_send_syslog_msg(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
+sysnet_dns_name_resolve(rpcbind_t)
+
+optional_policy(`
+ nis_use_ypbind(rpcbind_t)
+')
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
index ebe91fc..576ca21 100644
--- a/rpm.fc
+++ b/rpm.fc
@@ -1,61 +1,74 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
-
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-ifdef(`distro_redhat',`
-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/up2date.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+')
ifdef(`enable_mls',`
-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
index ef3b225..064712b 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
-## Redhat package manager.
+## Policy for the RPM package manager.
########################################
##
-## Execute rpm in the rpm domain.
+## Execute rpm programs in the rpm domain.
##
##
##
@@ -13,16 +13,18 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
+ attribute rpm_transition_domain;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
+ rpm_debuginfo_domtrans($1)
')
########################################
##
-## Execute debuginfo install
-## in the rpm domain.
+## Execute debuginfo_install programs in the rpm domain.
##
##
##
@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',`
########################################
##
-## Execute rpm scripts in the rpm script domain.
+## Execute rpm_script programs in the rpm_script domain.
##
##
##
@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',`
type rpm_script_t;
')
+ # transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
-
allow rpm_script_t $1:fd use;
- allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
')
########################################
##
-## Execute rpm in the rpm domain,
-## and allow the specified roles the
-## rpm domain.
+## Execute RPM programs in the RPM domain.
##
##
##
@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',`
##
##
##
-## Role allowed access.
+## The role to allow the RPM domain.
##
##
##
#
interface(`rpm_run',`
gen_require(`
- attribute_role rpm_roles;
+ type rpm_t, rpm_script_t;
+ attribute_role rpm_script_roles;
')
rpm_domtrans($1)
- roleattribute $2 rpm_roles;
+ roleattribute $2 rpm_script_roles;
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
')
########################################
##
-## Execute the rpm in the caller domain.
+## Execute the rpm client in the caller domain.
##
##
##
@@ -109,7 +114,7 @@ interface(`rpm_exec',`
########################################
##
-## Send null signals to rpm.
+## Send a null signal to rpm.
##
##
##
@@ -127,7 +132,7 @@ interface(`rpm_signull',`
########################################
##
-## Inherit and use file descriptors from rpm.
+## Inherit and use file descriptors from RPM.
##
##
##
@@ -145,7 +150,7 @@ interface(`rpm_use_fds',`
########################################
##
-## Read rpm unnamed pipes.
+## Read from an unnamed RPM pipe.
##
##
##
@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',`
########################################
##
-## Read and write rpm unnamed pipes.
+## Read and write an unnamed RPM pipe.
##
##
##
@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
########################################
##
+## Read and write an unnamed RPM script pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t, rpm_var_cache_t;
+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 rpm_t:tcp_socket { read write };
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
+
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_lib_t:dir getattr;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
## Send and receive messages from
## rpm over dbus.
##
@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
##
## Send and receive messages from
-## rpm script over dbus.
+## rpm_script over dbus.
##
##
##
@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
########################################
##
-## Search rpm log directories.
+## Search RPM log directory.
##
##
##
@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
#####################################
##
-## Append rpm log files.
+## Allow the specified domain to append
+## to rpm log files.
##
##
##
@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## rpm log files.
+## Create, read, write, and delete the RPM log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_read_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the RPM log.
##
##
##
@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
########################################
##
-## Inherit and use rpm script file descriptors.
+## Create rpm logs with an correct label.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_named_filetrans_log_files',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
+ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
+')
+
+########################################
+##
+## Inherit and use file descriptors from RPM scripts.
##
##
##
@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
########################################
##
-## Create, read, write, and delete
-## rpm script temporary files.
+## Create, read, write, and delete RPM
+## script temporary files.
##
##
##
@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
##
-## Append rpm temporary files.
+## Allow the specified domain to append
+## to rpm tmp files.
##
##
##
@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
- files_search_tmp($1)
- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ allow $1 rpm_tmp_t:file append_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## rpm temporary files.
+## Create, read, write, and delete RPM
+## temporary files.
##
##
##
@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
##
-## Read rpm script temporary files.
+## Read RPM script temporary files.
##
##
##
@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
##
-## Read rpm cache content.
+## Read the RPM cache.
##
##
##
@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
########################################
##
-## Create, read, write, and delete
-## rpm cache content.
+## Create, read, write, and delete the RPM package database.
##
##
##
@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
########################################
##
-## Read rpm lib content.
+## Read the RPM package database.
##
##
##
@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ rpm_read_cache($1)
')
########################################
##
-## Delete rpm lib files.
+## Delete the RPM package database.
##
##
##
@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
########################################
##
-## Create, read, write, and delete
-## rpm lib files.
+## Create, read, write, and delete the RPM package database.
##
##
##
@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
########################################
##
+## Do not audit attempts to create, read,the RPM package database.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rpm_dontaudit_read_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file read_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to create, read,
-## write, and delete rpm lib content.
+## write, and delete the RPM package database.
##
##
##
@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
#####################################
##
-## Create, read, write, and delete
-## rpm pid files.
+## Create, read, write, and delete rpm pid files.
##
##
##
@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
######################################
##
-## Create files in pid directories
-## with the rpm pid file type.
+## Create files in /var/run with the rpm pid file type.
##
##
##
@@ -573,66 +688,104 @@ interface(`rpm_manage_pid_files',`
##
#
interface(`rpm_pid_filetrans',`
- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.')
- rpm_pid_filetrans_rpm_pid($1, file)
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
')
########################################
##
-## Create specified objects in pid directories
-## with the rpm pid file type.
+## Send a null signal to rpm.
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Class of the object being created.
-##
-##
-##
+#
+interface(`rpm_inherited_fifo',`
+ gen_require(`
+ attribute rpm_transition_domain;
+ ')
+
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+##
+## Make rpm_exec_t an entry point for
+## the specified domain.
+##
+##
##
-## The name of the object being created.
+## Domain allowed access.
##
##
-#
-interface(`rpm_pid_filetrans_rpm_pid',`
+#
+interface(`rpm_entry_type',`
gen_require(`
- type rpm_var_run_t;
+ type rpm_exec_t;
')
- files_pid_filetrans($1, rpm_var_run_t, $3, $4)
+ domain_entry_file($1, rpm_exec_t)
')
########################################
##
-## All of the rules required to
-## administrate an rpm environment.
+## Allow application to transition to rpm_script domain.
##
##
##
## Domain allowed access.
##
##
+#
+interface(`rpm_transition_script',`
+ gen_require(`
+ type rpm_script_t;
+ attribute rpm_transition_domain;
+ ')
+
+ typeattribute $1 rpm_transition_domain;
+ allow $1 rpm_script_t:process transition;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+#######################################
+##
+## All of the rules required to
+## administrate an rpm environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
##
-##
-## Role allowed access.
-##
+##
+## Role allowed access.
+##
##
##
#
interface(`rpm_admin',`
- gen_require(`
- type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
- ')
+ gen_require(`
+ type rpm_t, rpm_script_t, rpm_initrc_exec_t;
+ type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
+
+ type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+ type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+ ')
- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { rpm_t rpm_script_t })
+ allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { rpm_t rpm_script_t })
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
index 6fc360e..dfa0f04 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
policy_module(rpm, 1.16.0)
+attribute rpm_transition_domain;
+attribute_role rpm_script_roles;
+roleattribute system_r rpm_script_roles;
+
########################################
#
# Declarations
#
-
-attribute_role rpm_roles;
-
-type debuginfo_exec_t;
-domain_entry_file(rpm_t, debuginfo_exec_t)
-
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
-role rpm_roles types rpm_t;
+role rpm_script_roles types rpm_t;
-type rpm_initrc_exec_t;
-init_script_file(rpm_initrc_exec_t)
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
type rpm_file_t;
files_type(rpm_file_t)
@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
files_tmpfs_file(rpm_tmpfs_t)
-type rpm_lock_t;
-files_lock_file(rpm_lock_t)
-
type rpm_log_t;
logging_log_file(rpm_log_t)
@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
-role rpm_roles types rpm_script_t;
-role system_r types rpm_script_t;
+role rpm_script_roles types rpm_script_t;
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
+allow rpm_t self:capability2 block_suspend;
allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
-allow rpm_t self:unix_stream_socket { accept connectto listen };
-allow rpm_t self:udp_socket connect;
-allow rpm_t self:tcp_socket { accept listen };
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
-allow rpm_t self:file rw_file_perms;
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t)
-files_lock_filetrans(rpm_t, rpm_lock_t, file)
-
-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file })
-
-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-corenet_all_recvfrom_unlabeled(rpm_t)
corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_generic_if(rpm_t)
+corenet_raw_sendrecv_generic_if(rpm_t)
+corenet_udp_sendrecv_generic_if(rpm_t)
corenet_tcp_sendrecv_generic_node(rpm_t)
+corenet_raw_sendrecv_generic_node(rpm_t)
+corenet_udp_sendrecv_generic_node(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
-
-corenet_sendrecv_all_client_packets(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
dev_read_raw_memory(rpm_t)
-
dev_manage_all_dev_nodes(rpm_t)
-dev_relabel_all_dev_nodes(rpm_t)
+#devices_manage_all_device_types(rpm_t)
dev_create_generic_blk_files(rpm_t)
dev_create_generic_chr_files(rpm_t)
-
-domain_read_all_domains_state(rpm_t)
-domain_getattr_all_domains(rpm_t)
-domain_use_interactive_fds(rpm_t)
-domain_dontaudit_getattr_all_pipes(rpm_t)
-domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-domain_dontaudit_getattr_all_udp_sockets(rpm_t)
-domain_dontaudit_getattr_all_packet_sockets(rpm_t)
-domain_dontaudit_getattr_all_raw_sockets(rpm_t)
-domain_dontaudit_getattr_all_stream_sockets(rpm_t)
-domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
-domain_signull_all_domains(rpm_t)
-
-files_exec_etc_files(rpm_t)
-files_relabel_non_auth_files(rpm_t)
-files_manage_non_auth_files(rpm_t)
+dev_delete_all_blk_files(rpm_t)
+dev_delete_all_chr_files(rpm_t)
+dev_relabel_all_dev_nodes(rpm_t)
+dev_rename_generic_blk_files(rpm_t)
+dev_rename_generic_chr_files(rpm_t)
+dev_setattr_all_blk_files(rpm_t)
+dev_setattr_all_chr_files(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
+# transition to rpm script:
rpm_domtrans_script(rpm_t)
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+domain_signull_all_domains(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
init_domtrans_script(rpm_t)
init_use_script_ptys(rpm_t)
init_signull_script(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-libs_run_ldconfig(rpm_t, rpm_roles)
logging_send_syslog_msg(rpm_t)
+miscfiles_filetrans_named_content(rpm_t)
+
+# allow compiling and loading new policy
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
-userdom_use_user_terminals(rpm_t)
+userdom_use_inherited_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
@@ -224,13 +233,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
- optional_policy(`
- unconfined_dbus_chat(rpm_t)
- ')
')
optional_policy(`
- prelink_run(rpm_t, rpm_roles)
+ prelink_domtrans(rpm_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
########################################
@@ -239,18 +252,20 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
-allow rpm_script_t self:unix_stream_socket { accept connectto listen };
+allow rpm_script_t self:unix_stream_socket connectto;
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
+allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
allow rpm_script_t rpm_tmp_t:file read_file_perms;
@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
+allow rpm_script_t rpm_t:netlink_route_socket { read write };
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
-corenet_all_recvfrom_unlabeled(rpm_script_t)
-corenet_all_recvfrom_netlabel(rpm_script_t)
-corenet_tcp_sendrecv_generic_if(rpm_script_t)
-corenet_tcp_sendrecv_generic_node(rpm_script_t)
-
-corenet_sendrecv_http_client_packets(rpm_script_t)
+# needed by rhn_check
corenet_tcp_connect_http_port(rpm_script_t)
-corenet_tcp_sendrecv_http_port(rpm_script_t)
-
-corecmd_exec_all_executables(rpm_script_t)
dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
dev_manage_generic_blk_files(rpm_script_t)
dev_manage_generic_chr_files(rpm_script_t)
dev_manage_all_blk_files(rpm_script_t)
dev_manage_all_chr_files(rpm_script_t)
-domain_read_all_domains_state(rpm_script_t)
-domain_getattr_all_domains(rpm_script_t)
-domain_use_interactive_fds(rpm_script_t)
-domain_signal_all_domains(rpm_script_t)
-domain_signull_all_domains(rpm_script_t)
-
-files_exec_etc_files(rpm_script_t)
-files_exec_usr_files(rpm_script_t)
-files_manage_non_auth_files(rpm_script_t)
-files_relabel_non_auth_files(rpm_script_t)
-
fs_manage_nfs_files(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
fs_search_all(rpm_script_t)
fs_getattr_all_fs(rpm_script_t)
+# why is this not using mount?
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
-mcs_killall(rpm_script_t)
-
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
-term_use_all_terms(rpm_script_t)
+term_use_all_inherited_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
+corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+# ideally we would not need this
+files_manage_all_files(rpm_script_t)
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
+systemd_config_all_services(rpm_script_t)
+
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-libs_run_ldconfig(rpm_script_t, rpm_roles)
+libs_ldconfig_exec_entry_type(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
+miscfiles_filetrans_named_content(rpm_script_t)
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
+seutil_run_loadpolicy(rpm_script_t, rpm_script_roles)
+seutil_run_setfiles(rpm_script_t, rpm_script_roles)
+seutil_run_semanage(rpm_script_t, rpm_script_roles)
+seutil_run_setsebool(rpm_script_t, rpm_script_roles)
userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
')
')
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
allow rpm_script_t self:process execmem;
')
optional_policy(`
- bootloader_run(rpm_script_t, rpm_roles)
+ bootloader_run(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
+ certmonger_dbus_chat(rpm_script_t)
+')
+
+optional_policy(`
+ cups_filetrans_named_content(rpm_script_t)
')
optional_policy(`
dbus_system_bus_client(rpm_script_t)
- optional_policy(`
- unconfined_dbus_chat(rpm_script_t)
- ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
+ ntp_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- lvm_run(rpm_script_t, rpm_roles)
+ modutils_run_depmod(rpm_script_t, rpm_script_roles)
+ modutils_run_insmod(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- ntp_domtrans(rpm_script_t)
+ openshift_initrc_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- tzdata_run(rpm_t, rpm_roles)
- tzdata_run(rpm_script_t, rpm_roles)
+ tzdata_domtrans(rpm_t)
+ tzdata_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- udev_domtrans(rpm_script_t)
+ udev_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ domain_named_filetrans(rpm_script_t)
+
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
@@ -409,6 +445,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_run_groupadd(rpm_script_t, rpm_roles)
- usermanage_run_useradd(rpm_script_t, rpm_roles)
+ usermanage_run_groupadd(rpm_script_t, rpm_script_roles)
+ usermanage_run_useradd(rpm_script_t, rpm_script_roles)
')
diff --git a/rshd.fc b/rshd.fc
index 9ad0d58..6a4db03 100644
--- a/rshd.fc
+++ b/rshd.fc
@@ -1,3 +1,4 @@
+
/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/rshd.if b/rshd.if
index 7ad29c0..2e87d76 100644
--- a/rshd.if
+++ b/rshd.if
@@ -2,7 +2,7 @@
########################################
##
-## Execute rshd in the rshd domain.
+## Domain transition to rshd.
##
##
##
@@ -15,6 +15,7 @@ interface(`rshd_domtrans',`
type rshd_exec_t, rshd_t;
')
+ files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rshd_exec_t, rshd_t)
')
diff --git a/rshd.te b/rshd.te
index 864e089..925203c 100644
--- a/rshd.te
+++ b/rshd.te
@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
#
# Declarations
#
-
type rshd_t;
type rshd_exec_t;
-auth_login_pgm_domain(rshd_t)
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
type rshd_keytab_t;
files_type(rshd_keytab_t)
@@ -17,9 +18,8 @@ files_type(rshd_keytab_t)
#
# Local policy
#
-
allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
-allow rshd_t self:process { signal_perms setsched setpgid setexec };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -27,41 +27,56 @@ allow rshd_t rshd_keytab_t:file read_file_perms;
kernel_read_kernel_sysctls(rshd_t)
-corenet_all_recvfrom_unlabeled(rshd_t)
corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
corenet_tcp_sendrecv_generic_node(rshd_t)
+corenet_udp_sendrecv_generic_node(rshd_t)
corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_generic_node(rshd_t)
-
-corenet_sendrecv_all_server_packets(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
corenet_tcp_bind_all_rpc_ports(rshd_t)
corenet_tcp_connect_all_ports(rshd_t)
corenet_tcp_connect_all_rpc_ports(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+domain_interactive_fd(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
files_list_home(rshd_t)
+files_search_tmp(rshd_t)
+
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
+init_rw_utmp(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
logging_search_logs(rshd_t)
-miscfiles_read_localization(rshd_t)
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
- fs_read_nfs_symlinks(rshd_t)
-')
+userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(rshd_t)
- fs_read_cifs_symlinks(rshd_t)
-')
+userdom_home_reader(rshd_t)
optional_policy(`
kerberos_manage_host_rcache(rshd_t)
kerberos_read_keytab(rshd_t)
- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(rshd_t, "host_0")
kerberos_use(rshd_t)
')
diff --git a/rssh.te b/rssh.te
index 5c5465f..6005932 100644
--- a/rssh.te
+++ b/rssh.te
@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
kernel_read_system_state(rssh_t)
kernel_read_kernel_sysctls(rssh_t)
-files_read_etc_files(rssh_t)
files_read_etc_runtime_files(rssh_t)
files_list_home(rssh_t)
-files_read_usr_files(rssh_t)
files_list_var(rssh_t)
fs_search_auto_mountpoints(rssh_t)
logging_send_syslog_msg(rssh_t)
-miscfiles_read_localization(rssh_t)
-
rssh_domtrans_chroot_helper(rssh_t)
ssh_rw_tcp_sockets(rssh_t)
@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
auth_use_nsswitch(rssh_chroot_helper_t)
logging_send_syslog_msg(rssh_chroot_helper_t)
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
index d25301b..f3eeec7 100644
--- a/rsync.fc
+++ b/rsync.fc
@@ -1,7 +1,8 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
-/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
+/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
index f1140ef..642e062 100644
--- a/rsync.if
+++ b/rsync.if
@@ -1,16 +1,32 @@
-## Fast incremental file transfer for synchronization.
+## Fast incremental file transfer for synchronization
+
+#######################################
+##
+## Sendmail stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rsync_stub',`
+ gen_require(`
+ type rsync_t;
+ ')
+')
########################################
##
-## Make rsync executable file an
-## entry point for the specified domain.
+## Make rsync an entry point for
+## the specified domain.
##
##
##
-## The domain for which rsync_exec_t is an entrypoint.
+## The domain for which init scripts are an entrypoint.
##
##
-#
+# cjp: added for portage
interface(`rsync_entry_type',`
gen_require(`
type rsync_exec_t;
@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
## Domain to transition to.
##
##
-#
+# cjp: added for portage
interface(`rsync_entry_spec_domtrans',`
gen_require(`
type rsync_exec_t;
')
- corecmd_search_bin($1)
- auto_trans($1, rsync_exec_t, $2)
+ domain_trans($1, rsync_exec_t, $2)
')
########################################
@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',`
## Domain to transition to.
##
##
-#
+# cjp: added for portage
interface(`rsync_entry_domtrans',`
gen_require(`
type rsync_exec_t;
')
- corecmd_search_bin($1)
domain_auto_trans($1, rsync_exec_t, $2)
')
########################################
##
-## Execute the rsync program in the rsync domain.
+## Execute rsync in the caller domain domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
+##
#
-interface(`rsync_domtrans',`
+interface(`rsync_exec',`
gen_require(`
- type rsync_t, rsync_exec_t;
+ type rsync_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, rsync_exec_t, rsync_t)
+ can_exec($1, rsync_exec_t)
')
########################################
##
-## Execute rsync in the rsync domain, and
-## allow the specified role the rsync domain.
+## Read rsync config files.
##
##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-#
-interface(`rsync_run',`
- gen_require(`
- attribute_role rsync_roles;
- ')
-
- rsync_domtrans($1)
- roleattribute $2 rsync_roles;
-')
-
-########################################
##
-## Execute rsync in the caller domain.
-##
-##
-##
## Domain allowed access.
-##
+##
##
#
-interface(`rsync_exec',`
+interface(`rsync_read_config',`
gen_require(`
- type rsync_exec_t;
+ type rsync_etc_t;
')
- corecmd_search_bin($1)
- can_exec($1, rsync_exec_t)
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
')
########################################
##
-## Read rsync config files.
+## Read rsync data files.
##
##
##
@@ -160,23 +149,23 @@ interface(`rsync_exec',`
##
##
#
-interface(`rsync_read_config',`
+interface(`rsync_read_data',`
gen_require(`
- type rsync_etc_t;
+ type rsync_data_t;
')
- files_search_etc($1)
- allow $1 rsync_etc_t:file read_file_perms;
+ read_files_pattern($1, rsync_data_t, rsync_data_t)
')
+
########################################
##
-## Write rsync config files.
+## Write to rsync config files.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`rsync_write_config',`
@@ -184,14 +173,13 @@ interface(`rsync_write_config',`
type rsync_etc_t;
')
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
- allow $1 rsync_etc_t:file write_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## rsync config files.
+## Manage rsync config files.
##
##
##
@@ -199,18 +187,18 @@ interface(`rsync_write_config',`
##
##
#
-interface(`rsync_manage_config_files',`
+interface(`rsync_manage_config',`
gen_require(`
type rsync_etc_t;
')
- files_search_etc($1)
manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
')
########################################
##
-## Create specified objects in etc directories
+## Create objects in etc directories
## with rsync etc type.
##
##
@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
########################################
##
-## All of the rules required to
-## administrate an rsync environment.
+## Transition to rsync named content
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`rsync_admin',`
+interface(`rsync_filetrans_named_content',`
gen_require(`
- type rsync_t, rsync_etc_t, rsync_data_t;
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+ type rsync_etc_t;
+ type rsync_var_run_t;
')
- allow $1 rsync_t:process { ptrace signal_perms };
- ps_process_pattern($1, rsync_t)
-
- files_search_etc($1)
- admin_pattern($1, rsync_etc_t)
-
- admin_pattern($1, rsync_data_t)
-
- logging_search_logs($1)
- admin_pattern($1, rsync_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, rsync_tmp_t)
-
- files_search_pids($1)
- admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
+ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
+ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
index abeb302..382a1bf 100644
--- a/rsync.te
+++ b/rsync.te
@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
#
##
-##
-## Determine whether rsync can use
-## cifs file systems.
-##
+##
+## Allow rsync to run as a client
+##
##
-gen_tunable(rsync_use_cifs, false)
+gen_tunable(rsync_client, false)
##
-##
-## Determine whether rsync can
-## use fuse file systems.
-##
+##
+## Allow rsync to export any files/directories read only.
+##
##
-gen_tunable(rsync_use_fusefs, false)
+gen_tunable(rsync_export_all_ro, false)
##
-##
-## Determine whether rsync can use
-## nfs file systems.
-##
+##
+## Allow rsync to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+##
##
-gen_tunable(rsync_use_nfs, false)
+gen_tunable(rsync_anon_write, false)
##
##
-## Determine whether rsync can
-## run as a client
+## Allow rsync server to manage all files/directories on the system.
##
##
-gen_tunable(rsync_client, false)
+gen_tunable(rsync_full_access, false)
-##
-##
-## Determine whether rsync can
-## export all content read only.
-##
-##
-gen_tunable(rsync_export_all_ro, false)
-
-##
-##
-## Determine whether rsync can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
-##
-gen_tunable(allow_rsync_anon_write, false)
-
-attribute_role rsync_roles;
type rsync_t;
type rsync_exec_t;
-init_daemon_domain(rsync_t, rsync_exec_t)
-application_domain(rsync_t, rsync_exec_t)
-role rsync_roles types rsync_t;
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
type rsync_etc_t;
files_config_file(rsync_etc_t)
-type rsync_data_t; # customizable
+type rsync_data_t;
files_type(rsync_data_t)
type rsync_log_t;
@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
-allow rsync_t self:tcp_socket { accept listen };
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
-allow rsync_t rsync_data_t:file read_file_perms;
-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+allow rsync_t rsync_data_t:dir_file_class_set getattr;
+allow rsync_t rsync_data_t:socket_class_set getattr;
+allow rsync_t rsync_data_t:sock_file setattr;
-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-corenet_all_recvfrom_unlabeled(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
+corenet_udp_sendrecv_generic_if(rsync_t)
corenet_tcp_sendrecv_generic_node(rsync_t)
+corenet_udp_sendrecv_generic_node(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_generic_node(rsync_t)
-
-corenet_sendrecv_rsync_server_packets(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
-corenet_tcp_sendrecv_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
dev_read_urand(rsync_t)
-fs_getattr_all_fs(rsync_t)
+fs_getattr_xattr_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
files_search_home(rsync_t)
-auth_can_read_shadow_passwords(rsync_t)
auth_use_nsswitch(rsync_t)
logging_send_syslog_msg(rsync_t)
-miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
-tunable_policy(`allow_rsync_anon_write',`
- miscfiles_manage_public_files(rsync_t)
+userdom_home_manager(rsync_t)
+
+optional_policy(`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
')
-tunable_policy(`rsync_client',`
- corenet_sendrecv_rsync_client_packets(rsync_t)
- corenet_tcp_connect_rsync_port(rsync_t)
+optional_policy(`
+ kerberos_use(rsync_t)
+')
- corenet_sendrecv_ssh_client_packets(rsync_t)
- corenet_tcp_connect_ssh_port(rsync_t)
- corenet_tcp_sendrecv_ssh_port(rsync_t)
+optional_policy(`
+ inetd_service_domain(rsync_t, rsync_exec_t)
+')
- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+tunable_policy(`rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+')
+
+tunable_policy(`rsync_full_access',`
+ allow rsync_t self:capability { dac_override dac_read_search };
+ files_manage_non_security_dirs(rsync_t)
+ files_manage_non_security_files(rsync_t)
+ #files_relabel_non_security_files(rsync_t)
')
tunable_policy(`rsync_export_all_ro',`
- fs_read_noxattr_fs_files(rsync_t)
+ files_getattr_all_pipes(rsync_t)
+ fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
- fs_read_fusefs_files(rsync_t)
fs_read_cifs_files(rsync_t)
- files_list_non_auth_dirs(rsync_t)
- files_read_non_auth_files(rsync_t)
- files_read_non_auth_symlinks(rsync_t)
+ files_read_non_security_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
-tunable_policy(`rsync_use_cifs',`
- fs_list_cifs(rsync_t)
- fs_read_cifs_files(rsync_t)
- fs_read_cifs_symlinks(rsync_t)
-')
-
-tunable_policy(`rsync_use_fusefs',`
- fs_search_fusefs(rsync_t)
- fs_read_fusefs_files(rsync_t)
- fs_read_fusefs_symlinks(rsync_t)
-')
-
-tunable_policy(`rsync_use_nfs',`
- fs_list_nfs(rsync_t)
- fs_read_nfs_files(rsync_t)
- fs_read_nfs_symlinks(rsync_t)
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ corenet_tcp_connect_ssh_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
')
optional_policy(`
tunable_policy(`rsync_client',`
- ssh_exec(rsync_t)
+ ssh_exec(rsync_t)
')
')
-optional_policy(`
- daemontools_service_domain(rsync_t, rsync_exec_t)
-')
-
-optional_policy(`
- kerberos_use(rsync_t)
-')
+auth_can_read_shadow_passwords(rsync_t)
optional_policy(`
- inetd_service_domain(rsync_t, rsync_exec_t)
+ swift_manage_data_files(rsync_t)
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
index 0000000..25d96cb
--- /dev/null
+++ b/rtas.fc
@@ -0,0 +1,13 @@
+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
+
+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+
+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t)
+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t)
+
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
index 0000000..0ec3302
--- /dev/null
+++ b/rtas.if
@@ -0,0 +1,162 @@
+
+## Platform diagnostics report firmware events.
+
+########################################
+##
+## Execute rtas_errd in the rtas_errd domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rtas_errd_domtrans',`
+ gen_require(`
+ type rtas_errd_t, rtas_errd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
+')
+
+########################################
+##
+## Read rtas_errd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rtas_errd_read_log',`
+ gen_require(`
+ type rtas_errd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+##
+## Append to rtas_errd log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rtas_errd_append_log',`
+ gen_require(`
+ type rtas_errd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+##
+## Manage rtas_errd log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rtas_errd_manage_log',`
+ gen_require(`
+ type rtas_errd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+##
+## Read rtas_errd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rtas_errd_read_pid_files',`
+ gen_require(`
+ type rtas_errd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t)
+')
+
+########################################
+##
+## Execute rtas_errd server in the rtas_errd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rtas_errd_systemctl',`
+ gen_require(`
+ type rtas_errd_t;
+ type rtas_errd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rtas_errd_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an rtas_errd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rtas_errd_admin',`
+ gen_require(`
+ type rtas_errd_t;
+ type rtas_errd_log_t, rtas_errd_var_run_t;
+ type rtas_errd_unit_file_t;
+ ')
+
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rtas_errd_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, rtas_errd_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rtas_errd_var_run_t)
+
+ rtas_errd_systemctl($1)
+ admin_pattern($1, rtas_errd_unit_file_t)
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
index 0000000..4e6663f
--- /dev/null
+++ b/rtas.te
@@ -0,0 +1,60 @@
+policy_module(rtas, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rtas_errd_t;
+type rtas_errd_exec_t;
+init_daemon_domain(rtas_errd_t, rtas_errd_exec_t)
+
+type rtas_errd_log_t;
+logging_log_file(rtas_errd_log_t)
+
+type rtas_errd_var_run_t;
+files_pid_file(rtas_errd_var_run_t)
+
+type rtas_errd_var_lock_t;
+files_lock_file(rtas_errd_var_lock_t)
+
+type rtas_errd_unit_file_t;
+systemd_unit_file(rtas_errd_unit_file_t)
+
+########################################
+#
+# rtas_errd local policy
+#
+
+allow rtas_errd_t self:capability sys_admin;
+allow rtas_errd_t self:process fork;
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file })
+
+manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
+manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
+files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } )
+
+manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
+
+kernel_read_system_state(rtas_errd_t)
+
+auth_use_nsswitch(rtas_errd_t)
+
+corecmd_exec_bin(rtas_errd_t)
+
+dev_read_raw_memory(rtas_errd_t)
+dev_write_raw_memory(rtas_errd_t)
+
+files_manage_system_db_files(rtas_errd_t)
+
+logging_read_generic_logs(rtas_errd_t)
+
diff --git a/rtkit.if b/rtkit.if
index e904ec4..e0dd20e 100644
--- a/rtkit.if
+++ b/rtkit.if
@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
type rtkit_daemon_t, rtkit_daemon_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
')
@@ -42,56 +41,47 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
##
-## Allow rtkit to control scheduling for your process.
+## Do not audit send and receive messages from
+## rtkit_daemon over dbus.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`rtkit_scheduled',`
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
gen_require(`
type rtkit_daemon_t;
+ class dbus send_msg;
')
- allow rtkit_daemon_t $1:process { getsched setsched };
-
- kernel_search_proc($1)
- ps_process_pattern(rtkit_daemon_t, $1)
-
- optional_policy(`
- rtkit_daemon_dbus_chat($1)
- ')
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:process { getsched setsched };
')
########################################
##
-## All of the rules required to
-## administrate an rtkit environment.
+## Allow rtkit to control scheduling for your process
##
##
##
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`rtkit_admin',`
+interface(`rtkit_scheduled',`
gen_require(`
- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t;
+ type rtkit_daemon_t;
')
- allow $1 rtkit_daemon_t:process { ptrace signal_perms };
- ps_process_pattern($1, rtkit_daemon_t)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+
+ kernel_search_proc($1)
+ ps_process_pattern(rtkit_daemon_t, $1)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ optional_policy(`
+ rtkit_daemon_dbus_chat($1)
+ ')
')
diff --git a/rtkit.te b/rtkit.te
index 7eea21f..7140646 100644
--- a/rtkit.te
+++ b/rtkit.te
@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
-miscfiles_read_localization(rtkit_daemon_t)
-
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
diff --git a/rwho.if b/rwho.if
index 0360ff0..e6cb34f 100644
--- a/rwho.if
+++ b/rwho.if
@@ -139,8 +139,11 @@ interface(`rwho_admin',`
type rwho_initrc_exec_t;
')
- allow $1 rwho_t:process { ptrace signal_perms };
+ allow $1 rwho_t:process signal_perms;
ps_process_pattern($1, rwho_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rwho_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rwho.te b/rwho.te
index 7fb75f4..27f5e22 100644
--- a/rwho.te
+++ b/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
files_type(rwho_log_t)
type rwho_spool_t;
-files_type(rwho_spool_t)
+files_spool_file(rwho_spool_t)
########################################
#
@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
kernel_read_system_state(rwho_t)
-corenet_all_recvfrom_unlabeled(rwho_t)
corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_generic_if(rwho_t)
corenet_udp_sendrecv_generic_node(rwho_t)
@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
domain_use_interactive_fds(rwho_t)
-files_read_etc_files(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
logging_send_syslog_msg(rwho_t)
-miscfiles_read_localization(rwho_t)
-
sysnet_dns_name_resolve(rwho_t)
-# userdom_getattr_user_terminals(rwho_t)
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
index b8b66ff..2ccac49 100644
--- a/samba.fc
+++ b/samba.fc
@@ -1,42 +1,54 @@
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+#
+# /usr
+#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
-/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+#
+# /var
+#
+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
-/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -45,7 +57,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
index 50d07fb..bada62f 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
-## SMB and CIFS client/server programs.
+##
+## SMB and CIFS client/server programs for UNIX and
+## name Service Switch daemon for resolving names
+## from Windows NT servers.
+##
########################################
##
-## Execute nmbd in the nmbd domain.
+## Execute nmbd net in the nmbd_t domain.
##
##
##
@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',`
#######################################
##
-## Send generic signals to nmbd.
+## Allow domain to signal samba
##
##
##
@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',`
########################################
##
-## Connect to nmbd with a unix domain
-## stream socket.
+## Search the samba pid directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`samba_search_pid',`
+ gen_require(`
+ type smbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 smbd_var_run_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Connect to nmbd.
##
##
##
@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',`
#
interface(`samba_stream_connect_nmbd',`
gen_require(`
- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type nmbd_t, nmbd_var_run_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t)
+ samba_search_pid($1)
+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
')
########################################
##
-## Execute samba init scripts in
-## the init script domain.
+## Execute samba server in the samba domain.
##
##
##
@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',`
########################################
##
-## Execute samba net in the samba net domain.
+## Execute samba server in the samba domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_systemctl',`
+ gen_require(`
+ type samba_unit_file_t;
+ type smbd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
+ allow $1 samba_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, smbd_t)
+')
+
+########################################
+##
+## Execute samba net in the samba_net domain.
##
##
##
@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',`
########################################
##
-## Execute samba net in the samba net
-## domain, and allow the specified
-## role the samba net domain.
+## Execute samba net in the samba_unconfined_net domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+##
+## Execute samba net in the samba_net domain, and
+## allow the specified role the samba_net domain.
##
##
##
@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',`
#
interface(`samba_run_net',`
gen_require(`
- attribute_role samba_net_roles;
+ type samba_net_t;
')
samba_domtrans_net($1)
- roleattribute $2 samba_net_roles;
+ role $2 types samba_net_t;
+')
+
+#######################################
+##
+## The role for the samba module.
+##
+##
+##
+## The role to be allowed the samba_net domain.
+##
+##
+##
+#
+interface(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ role $1 types smbd_t;
+')
+
+########################################
+##
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be allowed the samba_unconfined_net domain.
+##
+##
+##
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
')
########################################
@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',`
########################################
##
-## Execute smbmount in the smbmount
-## domain, and allow the specified
-## role the smbmount domain.
+## Execute smbmount interactively and do
+## a domain transition to the smbmount domain.
##
##
##
@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',`
#
interface(`samba_run_smbmount',`
gen_require(`
- attribute_role smbmount_roles;
+ type smbmount_t;
')
samba_domtrans_smbmount($1)
- roleattribute $2 smbmount_roles;
+ role $2 types smbmount_t;
')
########################################
##
-## Read samba configuration files.
+## Allow the specified domain to read
+## samba configuration files.
##
##
##
@@ -184,12 +291,14 @@ interface(`samba_read_config',`
')
files_search_etc($1)
+ list_dirs_pattern($1, samba_etc_t, samba_etc_t)
read_files_pattern($1, samba_etc_t, samba_etc_t)
')
########################################
##
-## Read and write samba configuration files.
+## Allow the specified domain to read
+## and write samba configuration files.
##
##
##
@@ -209,8 +318,8 @@ interface(`samba_rw_config',`
########################################
##
-## Create, read, write, and delete
-## samba configuration files.
+## Allow the specified domain to read
+## and write samba configuration files.
##
##
##
@@ -231,7 +340,7 @@ interface(`samba_manage_config',`
########################################
##
-## Read samba log files.
+## Allow the specified domain to read samba's log files.
##
##
##
@@ -252,7 +361,7 @@ interface(`samba_read_log',`
########################################
##
-## Append to samba log files.
+## Allow the specified domain to append to samba's log files.
##
##
##
@@ -273,7 +382,7 @@ interface(`samba_append_log',`
########################################
##
-## Execute samba log files in the caller domain.
+## Execute samba log in the caller domain.
##
##
##
@@ -292,7 +401,7 @@ interface(`samba_exec_log',`
########################################
##
-## Read samba secret files.
+## Allow the specified domain to read samba's secrets.
##
##
##
@@ -311,7 +420,7 @@ interface(`samba_read_secrets',`
########################################
##
-## Read samba share files.
+## Allow the specified domain to read samba's shares
##
##
##
@@ -330,7 +439,8 @@ interface(`samba_read_share_files',`
########################################
##
-## Search samba var directories.
+## Allow the specified domain to search
+## samba /var directories.
##
##
##
@@ -343,13 +453,15 @@ interface(`samba_search_var',`
type samba_var_t;
')
+ files_search_var($1)
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
########################################
##
-## Read samba var files.
+## Allow the specified domain to
+## read samba /var files.
##
##
##
@@ -362,14 +474,15 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
+ files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
##
-## Do not audit attempts to write
-## samba var files.
+## Do not audit attempts to write samba
+## /var files.
##
##
##
@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',`
########################################
##
-## Read and write samba var files.
+## Allow the specified domain to
+## read and write samba /var files.
##
##
##
@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
+ files_search_var($1)
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
##
-## Create, read, write, and delete
-## samba var files.
+## Allow the specified domain to
+## read and write samba /var files.
##
##
##
@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',`
')
files_search_var_lib($1)
+ files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
##
-## Execute smbcontrol in the smbcontrol domain.
+## Execute a domain transition to run smbcontrol.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`samba_domtrans_smbcontrol',`
gen_require(`
- type smbcontrol_t, smbcontrol_exec_t;
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
')
########################################
##
-## Execute smbcontrol in the smbcontrol
-## domain, and allow the specified
-## role the smbcontrol domain.
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
##
##
##
@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',`
#
interface(`samba_run_smbcontrol',`
gen_require(`
- attribute_role smbcontrol_roles;
+ type smbcontrol_t;
')
samba_domtrans_smbcontrol($1)
- roleattribute $2 smbcontrol_roles;
+ role $2 types smbcontrol_t;
')
########################################
##
-## Execute smbd in the smbd domain.
+## Execute smbd in the smbd_t domain.
##
##
##
@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',`
######################################
##
-## Send generic signals to smbd.
+## Allow domain to signal samba
##
##
##
@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',`
########################################
##
-## Do not audit attempts to inherit
-## and use smbd file descriptors.
+## Do not audit attempts to use file descriptors from samba.
##
##
##
@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',`
########################################
##
-## Write smbmount tcp sockets.
+## Allow the specified domain to write to smbmount tcp sockets.
##
##
##
@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
########################################
##
-## Read and write smbmount tcp sockets.
+## Allow the specified domain to read and write to smbmount tcp sockets.
##
##
##
@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
-########################################
+#######################################
##
-## Execute winbind helper in the
-## winbind helper domain.
+## Allow to getattr on winbind binary.
##
##
-##
-## Domain allowed to transition.
-##
+##
+## Domain allowed to transition.
+##
##
#
-interface(`samba_domtrans_winbind_helper',`
- gen_require(`
- type winbind_helper_t, winbind_helper_exec_t;
- ')
+interface(`samba_getattr_winbind',`
+ gen_require(`
+ type winbind_exec_t;
+ ')
- corecmd_search_bin($1)
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_exec_t:file getattr;
')
-#######################################
+########################################
##
-## Get attributes of winbind executable files.
+## Execute winbind_helper in the winbind_helper domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`samba_getattr_winbind_exec',`
+interface(`samba_domtrans_winbind_helper',`
gen_require(`
- type winbind_exec_t;
+ type winbind_helper_t, winbind_helper_exec_t;
')
- allow $1 winbind_exec_t:file getattr_file_perms;
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
##
-## Execute winbind helper in the winbind
-## helper domain, and allow the specified
-## role the winbind helper domain.
+## Execute winbind_helper in the winbind_helper domain, and
+## allow the specified role the winbind_helper domain.
##
##
##
@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',`
#
interface(`samba_run_winbind_helper',`
gen_require(`
- attribute_role winbind_helper_roles;
+ type winbind_helper_t;
')
samba_domtrans_winbind_helper($1)
- roleattribute $2 winbind_helper_roles;
+ role $2 types winbind_helper_t;
')
########################################
##
-## Read winbind pid files.
+## Allow the specified domain to read the winbind pid files.
##
##
##
@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',`
#
interface(`samba_read_winbind_pid',`
gen_require(`
- type winbind_var_run_t, smbd_var_run_t;
+ type winbind_var_run_t;
')
- files_search_pids($1)
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ samba_search_pid($1)
+ allow $1 winbind_var_run_t:file read_file_perms;
')
########################################
##
-## Connect to winbind with a unix
-## domain stream socket.
+## Connect to winbind.
##
##
##
@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',`
#
interface(`samba_stream_connect_winbind',`
gen_require(`
- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t;
+ type samba_var_t, winbind_t, winbind_var_run_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t)
+ samba_search_pid($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+ samba_read_config($1)
+
+ ifndef(`distro_redhat',`
+ gen_require(`
+ type winbind_tmp_t;
+ ')
+
+ # the default for the socket is (poorly named):
+ # /tmp/.winbindd/pipe
+ files_search_tmp($1)
+ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
+ ')
')
########################################
##
-## All of the rules required to
-## administrate an samba environment.
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ role system_r;
+ ')
+
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an samba environment
##
##
##
@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the samba domain.
##
##
##
@@ -689,11 +845,28 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
- type smbd_keytab_t;
+ type smbd_keytab_t, samba_unit_file_t;
+ ')
+
+ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
')
- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t)
+
+ allow $1 samba_unconfined_script_t:process signal_perms;
+ ps_process_pattern($1, samba_unconfined_script_t)
+
+ samba_run_smbcontrol($1, $2)
+ samba_run_winbind_helper($1, $2)
+ samba_run_smbmount($1, $2)
+ samba_run_net($1, $2)
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
@@ -703,23 +876,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ admin_pattern($1, samba_log_t)
logging_list_logs($1)
- admin_pattern($1, { samba_log_t winbind_log_t })
- files_list_var($1)
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
+ admin_pattern($1, samba_secrets_t)
- files_list_spool($1)
- admin_pattern($1, smbd_spool_t)
+ admin_pattern($1, samba_share_t)
+
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+ admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
+ admin_pattern($1, smbd_tmp_t)
files_list_tmp($1)
- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
- samba_run_smbcontrol($1, $2)
- samba_run_winbind_helper($1, $2)
- samba_run_smbmount($1, $2)
- samba_run_net($1, $2)
+ admin_pattern($1, swat_var_run_t)
+
+ admin_pattern($1, swat_tmp_t)
+
+ admin_pattern($1, winbind_log_t)
+
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+
+ samba_systemctl($1)
+ admin_pattern($1, samba_unit_file_t)
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
index 2b7c441..1912f75 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
#
##
-##
-## Determine whether samba can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow samba to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+##
##
-gen_tunable(allow_smbd_anon_write, false)
+gen_tunable(smbd_anon_write, false)
##
-##
-## Determine whether samba can
-## create home directories via pam.
-##
+##
+## Allow samba to create new home directories (e.g. via PAM)
+##
##
gen_tunable(samba_create_home_dirs, false)
##
-##
-## Determine whether samba can act as the
-## domain controller, add users, groups
-## and change passwords.
-##
+##
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
+##
+##
##
gen_tunable(samba_domain_controller, false)
##
-##
-## Determine whether samba can
-## act as a portmapper.
-##
+##
+## Allow samba to act as a portmapper
+##
+##
##
gen_tunable(samba_portmapper, false)
##
-##
-## Determine whether samba can share
-## users home directories.
-##
+##
+## Allow samba to share users home directories.
+##
##
gen_tunable(samba_enable_home_dirs, false)
##
-##
-## Determine whether samba can share
-## any content read only.
-##
+##
+## Allow samba to share any file/directory read only.
+##
##
gen_tunable(samba_export_all_ro, false)
##
-##
-## Determine whether samba can share any
-## content readable and writable.
-##
+##
+## Allow samba to share any file/directory read/write.
+##
##
gen_tunable(samba_export_all_rw, false)
##
-##
-## Determine whether samba can
-## run unconfined scripts.
-##
+##
+## Allow samba to run unconfined scripts
+##
##
gen_tunable(samba_run_unconfined, false)
##
-##
-## Determine whether samba can
-## use nfs file systems.
-##
+##
+## Allow samba to export NFS volumes.
+##
##
gen_tunable(samba_share_nfs, false)
##
-##
-## Determine whether samba can
-## use fuse file systems.
-##
+##
+## Allow samba to export ntfs/fusefs volumes.
+##
##
gen_tunable(samba_share_fusefs, false)
-attribute_role samba_net_roles;
-roleattribute system_r samba_net_roles;
-
-attribute_role smbcontrol_roles;
-roleattribute system_r smbcontrol_roles;
-
-attribute_role smbmount_roles;
-roleattribute system_r smbmount_roles;
-
-attribute_role winbind_helper_roles;
-roleattribute system_r winbind_helper_roles;
-
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
@@ -113,13 +93,16 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
type samba_log_t;
logging_log_file(samba_log_t)
type samba_net_t;
type samba_net_exec_t;
application_domain(samba_net_t, samba_net_exec_t)
-role samba_net_roles types samba_net_t;
+role system_r types samba_net_t;
type samba_net_tmp_t;
files_tmp_file(samba_net_tmp_t)
@@ -136,7 +119,7 @@ files_type(samba_var_t)
type smbcontrol_t;
type smbcontrol_exec_t;
application_domain(smbcontrol_t, smbcontrol_exec_t)
-role smbcontrol_roles types smbcontrol_t;
+role system_r types smbcontrol_t;
type smbd_t;
type smbd_exec_t;
@@ -152,9 +135,10 @@ type smbd_var_run_t;
files_pid_file(smbd_var_run_t)
type smbmount_t;
+domain_type(smbmount_t)
+
type smbmount_exec_t;
-application_domain(smbmount_t, smbmount_exec_t)
-role smbmount_roles types smbmount_t;
+domain_entry_file(smbmount_t, smbmount_exec_t)
type swat_t;
type swat_exec_t;
@@ -173,28 +157,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
type winbind_helper_exec_t;
-application_domain(winbind_helper_t, winbind_helper_exec_t)
-role winbind_helper_roles types winbind_helper_t;
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
-type winbind_tmp_t;
-files_tmp_file(winbind_tmp_t)
-
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
########################################
#
-# Net local policy
+# Samba net local policy
#
-
allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
+kernel_read_proc_symlinks(samba_net_t)
kernel_read_system_state(samba_net_t)
kernel_read_network_state(samba_net_t)
-corenet_all_recvfrom_unlabeled(samba_net_t)
corenet_all_recvfrom_netlabel(samba_net_t)
+corenet_tcp_sendrecv_generic_if(samba_net_t)
corenet_udp_sendrecv_generic_if(samba_net_t)
+corenet_raw_sendrecv_generic_if(samba_net_t)
corenet_tcp_sendrecv_generic_node(samba_net_t)
-
-corenet_sendrecv_smbd_client_packets(samba_net_t)
+corenet_udp_sendrecv_generic_node(samba_net_t)
+corenet_raw_sendrecv_generic_node(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_generic_node(samba_net_t)
+corenet_udp_bind_generic_node(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
-corenet_tcp_sendrecv_smbd_port(samba_net_t)
dev_read_urand(samba_net_t)
@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
-miscfiles_read_localization(samba_net_t)
-
samba_read_var_files(samba_net_t)
-userdom_use_user_terminals(samba_net_t)
+sysnet_use_ldap(samba_net_t)
+
+userdom_use_inherited_user_terminals(samba_net_t)
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
- ldap_stream_connect(samba_net_t)
+ ldap_stream_connect(samba_net_t)
+ dirsrv_stream_connect(samba_net_t)
')
optional_policy(`
@@ -249,46 +240,58 @@ optional_policy(`
')
optional_policy(`
+ realmd_manage_cache_files(samba_net_t)
+ realmd_read_tmp_files(samba_net_t)
+')
+
+optional_policy(`
kerberos_use(samba_net_t)
- kerberos_etc_filetrans_keytab(samba_net_t, file)
+ kerberos_etc_filetrans_keytab(samba_net_t)
')
########################################
#
-# Smbd Local policy
+# smbd Local policy
#
allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
allow smbd_t self:fd use;
allow smbd_t self:fifo_file rw_fifo_file_perms;
allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:tcp_socket { accept listen };
-allow smbd_t self:unix_dgram_socket sendto;
-allow smbd_t self:unix_stream_socket { accept connectto listen };
+allow smbd_t self:key manage_key_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t nmbd_t:process { signal signull };
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
allow smbd_t smbd_keytab_t:file read_file_perms;
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
-append_files_pattern(smbd_t, samba_log_t, samba_log_t)
-create_files_pattern(smbd_t, samba_log_t, samba_log_t)
-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
-allow smbd_t samba_net_tmp_t:file getattr_file_perms;
+allow smbd_t samba_net_tmp_t:file getattr;
manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
@@ -298,6 +301,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
+allow smbd_t smbcontrol_t:process { signal signull };
+
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
@@ -307,11 +312,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+allow smbd_t swat_t:process signal;
-allow smbd_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+
+allow smbd_t winbind_t:process { signal signull };
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -321,43 +326,33 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
-corecmd_exec_bin(smbd_t)
corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
-corenet_all_recvfrom_unlabeled(smbd_t)
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_generic_if(smbd_t)
+corenet_udp_sendrecv_generic_if(smbd_t)
+corenet_raw_sendrecv_generic_if(smbd_t)
corenet_tcp_sendrecv_generic_node(smbd_t)
+corenet_udp_sendrecv_generic_node(smbd_t)
+corenet_raw_sendrecv_generic_node(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
corenet_tcp_bind_generic_node(smbd_t)
-
-corenet_sendrecv_smbd_client_packets(smbd_t)
-corenet_tcp_connect_smbd_port(smbd_t)
-corenet_sendrecv_smbd_server_packets(smbd_t)
+corenet_udp_bind_generic_node(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
-corenet_tcp_sendrecv_smbd_port(smbd_t)
-
-corenet_sendrecv_ipp_client_packets(smbd_t)
corenet_tcp_connect_ipp_port(smbd_t)
-corenet_tcp_sendrecv_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
+dev_dontaudit_write_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+# For redhat bug 566984
dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
-domain_use_interactive_fds(smbd_t)
-domain_dontaudit_list_all_domains_state(smbd_t)
-
-files_list_var_lib(smbd_t)
-files_read_etc_runtime_files(smbd_t)
-files_read_usr_files(smbd_t)
-files_search_spool(smbd_t)
-files_dontaudit_getattr_all_dirs(smbd_t)
-files_dontaudit_list_all_mountpoints(smbd_t)
-files_list_mnt(smbd_t)
-
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
@@ -366,44 +361,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
-term_use_ptmx(smbd_t)
-
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
auth_write_login_records(smbd_t)
+domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)
-miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
sysnet_use_ldap(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
+userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-userdom_home_filetrans_user_home_dir(smbd_t)
-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
usermanage_read_crack_db(smbd_t)
-ifdef(`hide_broken_symptoms',`
+term_use_ptmx(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+ fs_rw_inherited_tmpfs_files(smbd_t)
')
-tunable_policy(`allow_smbd_anon_write',`
+tunable_policy(`smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
-')
+')
-tunable_policy(`samba_create_home_dirs',`
- allow smbd_t self:capability chown;
- userdom_create_user_home_dirs(smbd_t)
+tunable_policy(`samba_portmapper',`
+ corenet_tcp_bind_epmap_port(smbd_t)
+ corenet_tcp_bind_all_unreserved_ports(smbd_t)
')
tunable_policy(`samba_domain_controller',`
@@ -419,20 +425,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs(smbd_t)
- userdom_manage_user_home_content_files(smbd_t)
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
-')
-
-tunable_policy(`samba_portmapper',`
- corenet_sendrecv_all_server_packets(smbd_t)
- corenet_tcp_bind_epmap_port(smbd_t)
- corenet_tcp_bind_all_unreserved_ports(smbd_t)
- corenet_tcp_sendrecv_all_ports(smbd_t)
+ userdom_manage_user_home_content(smbd_t)
')
+# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -441,6 +437,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
+# Support Samba sharing of ntfs/fusefs mount points
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
@@ -448,17 +445,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(smbd_t)
- files_list_non_auth_dirs(smbd_t)
- files_read_non_auth_files(smbd_t)
-')
-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(smbd_t)
- files_manage_non_auth_files(smbd_t)
-')
-
optional_policy(`
ccs_read_config(smbd_t)
')
@@ -466,6 +452,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
+ ctdbd_manage_var_files(smbd_t)
')
optional_policy(`
@@ -479,6 +466,11 @@ optional_policy(`
')
optional_policy(`
+ ldap_stream_connect(smbd_t)
+ dirsrv_stream_connect(smbd_t)
+')
+
+optional_policy(`
lpd_exec_lpr(smbd_t)
')
@@ -499,9 +491,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
+tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ userdom_create_user_home_dirs(smbd_t)
+')
+
+userdom_home_filetrans_user_home_dir(smbd_t)
+
+tunable_policy(`samba_export_all_ro',`
+ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_read_noxattr_fs_files(smbd_t)
+ files_read_non_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
+')
+userdom_filetrans_home_content(nmbd_t)
+
########################################
#
-# Nmbd Local policy
+# nmbd Local policy
#
dontaudit nmbd_t self:capability sys_tty_config;
@@ -512,9 +528,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:tcp_socket { accept listen };
-allow nmbd_t self:unix_dgram_socket sendto;
-allow nmbd_t self:unix_stream_socket { accept connectto listen };
+allow nmbd_t self:sock_file read_sock_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -526,20 +544,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
-
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t smbcontrol_t:process signal;
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
@@ -548,52 +561,41 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
-corenet_all_recvfrom_unlabeled(nmbd_t)
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
corenet_tcp_sendrecv_generic_node(nmbd_t)
corenet_udp_sendrecv_generic_node(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
corenet_udp_bind_generic_node(nmbd_t)
-
-corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_udp_bind_nmbd_port(nmbd_t)
-corenet_udp_sendrecv_nmbd_port(nmbd_t)
-
-corenet_sendrecv_smbd_client_packets(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
-corenet_tcp_sendrecv_smbd_port(nmbd_t)
-dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
+dev_read_sysfs(nmbd_t)
+dev_read_urand(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-files_read_usr_files(nmbd_t)
files_list_var_lib(nmbd_t)
-fs_getattr_all_fs(nmbd_t)
-fs_search_auto_mountpoints(nmbd_t)
-
auth_use_nsswitch(nmbd_t)
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
-miscfiles_read_localization(nmbd_t)
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
+ ctdbd_manage_var_files(nmbd_t)
')
optional_policy(`
@@ -606,16 +608,22 @@ optional_policy(`
########################################
#
-# Smbcontrol local policy
+# smbcontrol local policy
#
+
allow smbcontrol_t self:process signal;
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t self:process { signal signull };
-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
+
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
@@ -627,16 +635,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
-files_read_etc_files(smbcontrol_t)
-files_search_var_lib(smbcontrol_t)
-
term_use_console(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
-
sysnet_use_ldap(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
+userdom_use_inherited_user_terminals(smbcontrol_t)
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
@@ -644,22 +647,23 @@ optional_policy(`
########################################
#
-# Smbmount Local policy
+# smbmount Local policy
#
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
-allow smbmount_t self:process signal_perms;
-allow smbmount_t self:tcp_socket { accept listen };
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;
allow smbmount_t samba_etc_t:dir list_dir_perms;
allow smbmount_t samba_etc_t:file read_file_perms;
-allow smbmount_t samba_log_t:dir list_dir_perms;
-append_files_pattern(smbmount_t, samba_log_t, samba_log_t)
-create_files_pattern(smbmount_t, samba_log_t, samba_log_t)
-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t)
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir list_dir_perms;
+allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -668,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
-can_exec(smbmount_t, smbmount_exec_t)
+files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
-corenet_all_recvfrom_unlabeled(smbmount_t)
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
+corenet_raw_sendrecv_generic_if(smbmount_t)
+corenet_udp_sendrecv_generic_if(smbmount_t)
corenet_tcp_sendrecv_generic_node(smbmount_t)
-
-corenet_sendrecv_all_client_packets(smbmount_t)
-corenet_tcp_connect_all_ports(smbmount_t)
+corenet_raw_sendrecv_generic_node(smbmount_t)
+corenet_udp_sendrecv_generic_node(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
-
-corecmd_list_bin(smbmount_t)
-
-files_list_mnt(smbmount_t)
-files_list_var_lib(smbmount_t)
-files_mounton_mnt(smbmount_t)
-files_manage_etc_runtime_files(smbmount_t)
-files_etc_filetrans_etc_runtime(smbmount_t, file)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_generic_node(smbmount_t)
+corenet_udp_bind_generic_node(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
@@ -699,58 +699,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
-auth_use_nsswitch(smbmount_t)
+corecmd_list_bin(smbmount_t)
-miscfiles_read_localization(smbmount_t)
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
+
+auth_use_nsswitch(smbmount_t)
-mount_use_fds(smbmount_t)
locallogin_use_fds(smbmount_t)
logging_search_logs(smbmount_t)
-userdom_use_user_terminals(smbmount_t)
+userdom_use_inherited_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
optional_policy(`
cups_read_rw_config(smbmount_t)
')
+optional_policy(`
+ mount_use_fds(smbmount_t)
+')
+
########################################
#
-# Swat Local policy
+# SWAT Local policy
#
allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:capability2 block_suspend;
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:tcp_socket { accept listen };
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
-append_files_pattern(swat_t, samba_log_t, samba_log_t)
-create_files_pattern(swat_t, samba_log_t, samba_log_t)
-setattr_files_pattern(swat_t, samba_log_t, samba_log_t)
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
files_var_filetrans(swat_t, samba_var_t, dir, "samba")
allow swat_t smbd_exec_t:file mmap_file_perms ;
-allow swat_t { winbind_t smbd_t }:process { signal signull };
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -759,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
-
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-
-samba_domtrans_smbd(swat_t)
-samba_domtrans_nmbd(swat_t)
-
+allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+allow swat_t winbind_t:process { signal signull };
+
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -777,36 +792,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
-corenet_all_recvfrom_unlabeled(swat_t)
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
corenet_tcp_sendrecv_generic_node(swat_t)
corenet_udp_sendrecv_generic_node(swat_t)
-corenet_tcp_bind_generic_node(swat_t)
-corenet_udp_bind_generic_node(swat_t)
-
-corenet_sendrecv_nmbd_server_packets(swat_t)
-corenet_udp_bind_nmbd_port(swat_t)
-corenet_udp_sendrecv_nmbd_port(swat_t)
-
-corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_raw_sendrecv_generic_node(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
corenet_tcp_connect_smbd_port(swat_t)
-corenet_sendrecv_smbd_server_packets(swat_t)
-corenet_tcp_bind_smbd_port(swat_t)
-corenet_tcp_sendrecv_smbd_port(swat_t)
-
-corenet_sendrecv_ipp_client_packets(swat_t)
corenet_tcp_connect_ipp_port(swat_t)
-corenet_tcp_sendrecv_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
files_search_home(swat_t)
-files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-files_list_var_lib(swat_t)
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
@@ -818,10 +822,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
-miscfiles_read_localization(swat_t)
-
sysnet_use_ldap(swat_t)
+
+userdom_dontaudit_search_admin_dir(swat_t)
+
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -840,17 +845,20 @@ optional_policy(`
# Winbind local policy
#
-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-allow winbind_t self:unix_stream_socket { accept listen };
-allow winbind_t self:tcp_socket { accept listen };
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
+samba_stream_connect_nmbd(winbind_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -860,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
-append_files_pattern(winbind_t, samba_log_t, samba_log_t)
-create_files_pattern(winbind_t, samba_log_t, samba_log_t)
-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -873,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-# This needs a file context specification
-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+userdom_manage_user_tmp_dirs(winbind_t)
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
-
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+# /run/samba/krb5cc_samba
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
@@ -898,13 +902,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
-corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
+corenet_udp_sendrecv_generic_if(winbind_t)
+corenet_raw_sendrecv_generic_if(winbind_t)
corenet_tcp_sendrecv_generic_node(winbind_t)
+corenet_udp_sendrecv_generic_node(winbind_t)
+corenet_raw_sendrecv_generic_node(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
-
-corenet_sendrecv_all_client_packets(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_tcp_bind_generic_node(winbind_t)
+corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-domain_use_interactive_fds(winbind_t)
-
-files_read_usr_symlinks(winbind_t)
-files_list_var_lib(winbind_t)
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -924,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
+domain_use_interactive_fds(winbind_t)
+
+files_read_usr_symlinks(winbind_t)
+files_list_var_lib(winbind_t)
+
logging_send_syslog_msg(winbind_t)
-miscfiles_read_localization(winbind_t)
miscfiles_read_generic_certs(winbind_t)
+sysnet_use_ldap(winbind_t)
+
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
userdom_manage_user_home_content_files(winbind_t)
userdom_manage_user_home_content_symlinks(winbind_t)
userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(winbind_t)
optional_policy(`
ctdbd_stream_connect(winbind_t)
ctdbd_manage_lib_files(winbind_t)
+ ctdbd_manage_var_files(winbind_t)
+')
+
+
+optional_policy(`
+ dirsrv_stream_connect(winbind_t)
')
optional_policy(`
kerberos_use(winbind_t)
+ kerberos_filetrans_named_content(winbind_t)
')
optional_policy(`
@@ -959,31 +976,29 @@ optional_policy(`
# Winbind helper local policy
#
-allow winbind_helper_t self:unix_stream_socket { accept listen };
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_helper_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
allow winbind_helper_t samba_var_t:dir search_dir_perms;
+files_list_var_lib(winbind_helper_t)
allow winbind_t smbcontrol_t:process signal;
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
-domain_use_interactive_fds(winbind_helper_t)
-
-files_list_var_lib(winbind_helper_t)
-
term_list_ptys(winbind_helper_t)
+domain_use_interactive_fds(winbind_helper_t)
+
auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
-miscfiles_read_localization(winbind_helper_t)
-
-userdom_use_user_terminals(winbind_helper_t)
+userdom_use_inherited_user_terminals(winbind_helper_t)
optional_policy(`
apache_append_log(winbind_helper_t)
@@ -997,25 +1012,38 @@ optional_policy(`
########################################
#
-# Unconfined script local policy
+# samba_unconfined_script_t local policy
#
optional_policy(`
- type samba_unconfined_script_t;
- type samba_unconfined_script_exec_t;
- domain_type(samba_unconfined_script_t)
- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
- corecmd_shell_entry_type(samba_unconfined_script_t)
- role system_r types samba_unconfined_script_t;
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
+
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
+
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
- tunable_policy(`samba_run_unconfined',`
+tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ',`
- can_exec(smbd_t, samba_unconfined_script_exec_t)
- ')
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
index e18b0a2..463e207 100644
--- a/sambagui.te
+++ b/sambagui.te
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
-files_read_usr_files(sambagui_t)
+files_search_var_lib(sambagui_t)
auth_use_nsswitch(sambagui_t)
auth_dontaudit_read_shadow(sambagui_t)
-logging_send_syslog_msg(sambagui_t)
+init_access_check(sambagui_t)
-miscfiles_read_localization(sambagui_t)
+logging_send_syslog_msg(sambagui_t)
sysnet_use_ldap(sambagui_t)
@@ -61,6 +61,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
+ samba_systemctl(sambagui_t)
samba_domtrans_smbd(sambagui_t)
samba_domtrans_nmbd(sambagui_t)
')
diff --git a/samhain.if b/samhain.if
index f0236d6..78a792a 100644
--- a/samhain.if
+++ b/samhain.if
@@ -23,6 +23,8 @@ template(`samhain_service_template',`
files_read_all_files($1_t)
mls_file_write_all_levels($1_t)
+
+ logging_send_sylog_msg($1_t)
')
########################################
diff --git a/samhain.te b/samhain.te
index c41ce4b..8837e4c 100644
--- a/samhain.te
+++ b/samhain.te
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
init_read_utmp(samhain_domain)
-logging_send_syslog_msg(samhain_domain)
-
########################################
#
# Client local policy
@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t)
seutil_sigchld_newrole(samhain_t)
-userdom_use_user_terminals(samhain_t)
+userdom_use_inherited_user_terminals(samhain_t)
########################################
#
diff --git a/sandbox.fc b/sandbox.fc
new file mode 100644
index 0000000..b7db254
--- /dev/null
+++ b/sandbox.fc
@@ -0,0 +1 @@
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
index 0000000..577dfa7
--- /dev/null
+++ b/sandbox.if
@@ -0,0 +1,55 @@
+
+## policy for sandbox
+
+########################################
+##
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the sandbox domain.
+##
+##
+#
+interface(`sandbox_transition',`
+ gen_require(`
+ attribute sandbox_domain;
+ ')
+
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_domain $1:process signal;
+')
+
+########################################
+##
+## Creates types and rules for a basic
+## sandbox process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`sandbox_domain_template',`
+
+ gen_require(`
+ attribute sandbox_domain;
+ ')
+ type $1_t, sandbox_domain;
+
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
index 0000000..b12aada
--- /dev/null
+++ b/sandbox.te
@@ -0,0 +1,62 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
+
+########################################
+#
+# Declarations
+#
+sandbox_domain_template(sandbox)
+
+########################################
+#
+# sandbox local policy
+#
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_domain self:process execmem;
+')
+
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
+# sandbox_file_t was moved to sandboxX.te
+optional_policy(`
+ sandbox_exec_file(sandbox_domain)
+ sandbox_manage_content(sandbox_domain)
+ sandbox_dontaudit_mounton(sandbox_domain)
+ sandbox_manage_tmpfs_files(sandbox_domain)
+')
+
+gen_require(`
+ type usr_t, lib_t, locale_t, device_t;
+ type var_t, var_run_t, rpm_log_t, locale_t;
+ attribute exec_type, configfile;
+')
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+
+corecmd_exec_all_executables(sandbox_domain)
+
+dev_dontaudit_getattr_all(sandbox_domain)
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
+files_read_config_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
+
+fs_dontaudit_getattr_all_fs(sandbox_domain)
+
+userdom_use_inherited_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 0000000..6caef63
--- /dev/null
+++ b/sandboxX.fc
@@ -0,0 +1,2 @@
+
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
index 0000000..5da5bff
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,392 @@
+
+## policy for sandboxX
+
+########################################
+##
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the sandbox domain.
+##
+##
+#
+interface(`sandbox_x_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
+ type sandbox_file_t;
+ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+ dontaudit sandbox_xserver_t $1:file read;
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+ can_exec($1, sandbox_file_t)
+ allow $1 sandbox_file_t:filesystem getattr;
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+##
+## Creates types and rules for a basic
+## sandbox process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ type sandbox_exec_t;
+ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ ')
+
+ type $1_t, sandbox_x_domain, sandbox_type;
+ application_type($1_t)
+ mcs_constrained($1_t)
+
+ kernel_read_system_state($1_t)
+ selinux_get_fs_mount($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
+ kernel_read_system_state($1_client_t)
+
+ mcs_constrained($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ dontaudit $1_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+ domain_entry_file($1_client_t, sandbox_exec_t)
+
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## allow domain to read,
+## write sandbox_xserver tmp files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+ gen_require(`
+ type sandbox_xserver_tmpfs_t;
+ ')
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+##
+## allow domain to read
+## sandbox tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_read_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
+########################################
+##
+## allow domain to manage
+## sandbox tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_manage_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+##
+## Delete sandbox files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+##
+## Manage sandbox content
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_manage_content',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:filesystem getattr;
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+')
+
+########################################
+##
+## Delete sandbox symbolic links
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_delete_lnk_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+##
+## Delete sandbox fifo files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_delete_pipes',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+##
+## Delete sandbox sock files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+##
+## Allow domain to set the attributes
+## of the sandbox directory.
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:dir setattr;
+')
+
+########################################
+##
+## Delete sandbox directories
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+##
+## allow domain to list sandbox dirs
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`sandbox_list',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Read and write a sandbox domain pty.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sandbox_use_ptys',`
+ gen_require(`
+ type sandbox_devpts_t;
+ ')
+
+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+#######################################
+##
+## Allow domain to execute sandbox_file_t in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sandbox_exec_file',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ can_exec($1, sandbox_file_t)
+')
+
+######################################
+##
+## Allow domain to execute sandbox_file_t in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sandbox_dontaudit_mounton',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ dontaudit $1 sandbox_file_t:dir mounton;
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..710df6b
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,483 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
+attribute sandbox_x_domain;
+attribute sandbox_web_type;
+attribute sandbox_file_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_type;
+
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
+type sandbox_file_t, sandbox_file_type;
+userdom_user_home_content(sandbox_file_t)
+
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
+
+########################################
+#
+# Declarations
+#
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process { signal_perms execstack };
+
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
+')
+
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+kernel_read_system_state(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_read_sysfs(sandbox_xserver_t)
+dev_rwx_zero(sandbox_xserver_t)
+dev_read_urand(sandbox_xserver_t)
+
+domain_use_interactive_fds(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+
+xserver_read_xkb_libs(sandbox_xserver_t)
+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_x_domain self:process execmem;
+')
+
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
+
+can_exec(sandbox_x_domain, sandbox_file_t)
+allow sandbox_x_domain sandbox_file_t:filesystem getattr;
+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+dev_dontaudit_rw_dri(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+# Random tmpfs_t that gets created when you run X.
+fs_rw_tmpfs_files(sandbox_x_domain)
+fs_get_xattr_fs_quotas(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+libs_dontaudit_setattr_lib_files(sandbox_x_domain)
+
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
+
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
+selinux_compute_create_context(sandbox_x_domain)
+selinux_compute_relabel_context(sandbox_x_domain)
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
+
+application_dontaudit_signal(sandbox_x_domain)
+application_dontaudit_sigkill(sandbox_x_domain)
+
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
+ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
+')
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+optional_policy(`
+ udev_read_db(sandbox_x_domain)
+')
+
+userdom_use_inherited_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
+fs_read_hugetlbfs_files(sandbox_x_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(sandbox_x_domain)
+ fs_search_nfs(sandbox_xserver_t)
+ fs_read_nfs_files(sandbox_xserver_t)
+ fs_manage_nfs_dirs(sandbox_x_domain)
+ fs_manage_nfs_files(sandbox_x_domain)
+ fs_exec_nfs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(sandbox_xserver_t)
+ fs_read_cifs_files(sandbox_xserver_t)
+ fs_manage_cifs_dirs(sandbox_x_domain)
+ fs_manage_cifs_files(sandbox_x_domain)
+ fs_exec_cifs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(sandbox_xserver_t)
+ fs_read_fusefs_files(sandbox_xserver_t)
+ fs_manage_fusefs_dirs(sandbox_x_domain)
+ fs_manage_fusefs_files(sandbox_x_domain)
+ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+logging_send_syslog_msg(sandbox_x_client_t)
+
+optional_policy(`
+ colord_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+selinux_get_fs_mount(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+logging_send_syslog_msg(sandbox_web_client_t)
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
+corenet_tcp_sendrecv_generic_if(sandbox_web_type)
+corenet_raw_sendrecv_generic_if(sandbox_web_type)
+corenet_tcp_sendrecv_generic_node(sandbox_web_type)
+corenet_raw_sendrecv_generic_node(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
+corenet_tcp_connect_aol_port(sandbox_web_type)
+corenet_tcp_connect_asterisk_port(sandbox_web_type)
+corenet_tcp_connect_commplex_link_port(sandbox_web_type)
+corenet_tcp_connect_couchdb_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_gatekeeper_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_ipsecnat_port(sandbox_web_type)
+corenet_tcp_connect_ircd_port(sandbox_web_type)
+corenet_tcp_connect_jabber_client_port(sandbox_web_type)
+corenet_tcp_connect_jboss_management_port(sandbox_web_type)
+corenet_tcp_connect_mmcc_port(sandbox_web_type)
+corenet_tcp_connect_monopd_port(sandbox_web_type)
+corenet_tcp_connect_msnp_port(sandbox_web_type)
+corenet_tcp_connect_ms_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
+corenet_tcp_connect_rtsp_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_tor_port(sandbox_web_type)
+corenet_tcp_connect_transproxy_port(sandbox_web_type)
+corenet_tcp_connect_vnc_port(sandbox_web_type)
+corenet_tcp_connect_whois_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_validate_context(sandbox_web_type)
+selinux_compute_access_vector(sandbox_web_type)
+selinux_compute_create_context(sandbox_web_type)
+selinux_compute_relabel_context(sandbox_web_type)
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmpfs_files(sandbox_web_type)
+userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
+ alsa_read_rw_config(sandbox_web_type)
+')
+
+optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ chrome_domtrans_sandbox(sandbox_web_type)
+')
+
+optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sandbox_web_type)
+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ # needed by pulseaudio
+ systemd_read_logind_sessions_files(sandbox_web_type)
+ systemd_login_read_pid_files(sandbox_web_type)
+')
+
+optional_policy(`
+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+selinux_get_fs_mount(sandbox_net_client_t)
+
+auth_use_nsswitch(sandbox_net_client_t)
+
+logging_send_syslog_msg(sandbox_net_client_t)
+
+optional_policy(`
+ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f..9059165 100644
--- a/sanlock.fc
+++ b/sanlock.fc
@@ -1,7 +1,10 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
index cd6c213..34b861a 100644
--- a/sanlock.if
+++ b/sanlock.if
@@ -1,4 +1,5 @@
-## shared storage lock manager.
+
+## policy for sanlock
########################################
##
@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',`
type sanlock_t, sanlock_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, sanlock_exec_t, sanlock_t)
')
+
########################################
##
-## Execute sanlock init scripts in
-## the initrc domain.
+## Execute sanlock server in the sanlock domain.
##
##
##
-## Domain allowed to transition.
+## The type of the process performing this action.
##
##
#
@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',`
######################################
##
-## Create, read, write, and delete
-## sanlock pid files.
+## Create, read, write, and delete sanlock PID files.
##
##
##
@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',`
########################################
##
-## Connect to sanlock with a unix
-## domain stream socket.
+## Connect to sanlock over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sanlock_stream_connect',`
+ gen_require(`
+ type sanlock_t, sanlock_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+')
+
+########################################
+##
+## Execute virt server in the virt domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`sanlock_stream_connect',`
+interface(`sanlock_systemctl',`
gen_require(`
- type sanlock_t, sanlock_var_run_t;
+ type sanlock_unit_file_t;
+ type sanlock_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+ systemd_exec_systemctl($1)
+ allow $1 sanlock_unit_file_t:file read_file_perms;
+ allow $1 sanlock_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sanlock_t)
')
########################################
##
-## All of the rules required to
-## administrate an sanlock environment.
+## All of the rules required to administrate
+## an sanlock environment
##
##
##
@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',`
#
interface(`sanlock_admin',`
gen_require(`
- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t;
- type sanlock_log_t;
+ type sanlock_t;
+ type sanlock_initrc_exec_t;
+ type sanlock_unit_file_t;
')
- allow $1 sanlock_t:process { ptrace signal_perms };
+ allow $1 sanlock_t:process signal_perms;
ps_process_pattern($1, sanlock_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sanlock_t:process ptrace;
+ ')
sanlock_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sanlock_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
- admin_pattern($1, sanlock_var_run_t)
-
- logging_search_logs($1)
- admin_pattern($1, sanlock_log_t)
+ virt_systemctl($1)
+ admin_pattern($1, sanlock_unit_file_t)
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
index 0045465..7d3129e 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
#
##
-##
-## Determine whether sanlock can use
-## nfs file systems.
-##
+##
+## Allow sanlock to manage nfs files
+##
##
gen_tunable(sanlock_use_nfs, false)
##
-##
-## Determine whether sanlock can use
-## cifs file systems.
-##
+##
+## Allow sanlock to manage cifs files
+##
##
gen_tunable(sanlock_use_samba, false)
+##
+##
+## Allow sanlock to read/write fuse files
+##
+##
+gen_tunable(sanlock_use_fusefs, false)
+
type sanlock_t;
type sanlock_exec_t;
init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t)
type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)
+type sanlock_unit_file_t;
+systemd_unit_file(sanlock_unit_file_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')
@@ -44,17 +52,15 @@ ifdef(`enable_mls',`
########################################
#
-# Local policy
+# sanlock local policy
#
-
allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
-allow sanlock_t self:unix_stream_socket { accept listen };
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
-dev_read_rand(sanlock_t)
-dev_read_urand(sanlock_t)
-
domain_use_interactive_fds(sanlock_t)
+files_read_mnt_symlinks(sanlock_t)
+
storage_raw_rw_fixed_disk(sanlock_t)
+dev_read_rand(sanlock_t)
+dev_read_urand(sanlock_t)
+
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
-miscfiles_read_localization(sanlock_t)
+tunable_policy(`sanlock_use_fusefs',`
+ fs_manage_fusefs_dirs(sanlock_t)
+ fs_manage_fusefs_files(sanlock_t)
+ fs_read_fusefs_symlinks(sanlock_t)
+ fs_getattr_fusefs(sanlock_t)
+')
tunable_policy(`sanlock_use_nfs',`
- fs_manage_nfs_dirs(sanlock_t)
- fs_manage_nfs_files(sanlock_t)
- fs_manage_nfs_named_sockets(sanlock_t)
- fs_read_nfs_symlinks(sanlock_t)
+ fs_manage_nfs_dirs(sanlock_t)
+ fs_manage_nfs_files(sanlock_t)
+ fs_manage_nfs_named_sockets(sanlock_t)
+ fs_read_nfs_symlinks(sanlock_t)
')
tunable_policy(`sanlock_use_samba',`
- fs_manage_cifs_dirs(sanlock_t)
- fs_manage_cifs_files(sanlock_t)
- fs_manage_cifs_named_sockets(sanlock_t)
- fs_read_cifs_symlinks(sanlock_t)
+ fs_manage_cifs_dirs(sanlock_t)
+ fs_manage_cifs_files(sanlock_t)
+ fs_manage_cifs_named_sockets(sanlock_t)
+ fs_read_cifs_symlinks(sanlock_t)
+')
+
+optional_policy(`
+ rhcs_domtrans_fenced(sanlock_t)
')
optional_policy(`
@@ -100,7 +117,8 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
+ virt_kill(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
')
diff --git a/sasl.fc b/sasl.fc
index 54f41c2..7e58679 100644
--- a/sasl.fc
+++ b/sasl.fc
@@ -1,7 +1,12 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+#
+# /usr
+#
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
-/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
-
+#
+# /var
+#
+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
index 8c3c151..93b7227 100644
--- a/sasl.if
+++ b/sasl.if
@@ -1,4 +1,4 @@
-## SASL authentication server.
+## SASL authentication server
########################################
##
@@ -21,8 +21,8 @@ interface(`sasl_connect',`
########################################
##
-## All of the rules required to
-## administrate an sasl environment.
+## All of the rules required to administrate
+## an sasl environment
##
##
##
@@ -42,9 +42,13 @@ interface(`sasl_admin',`
type saslauthd_keytab_t;
')
- allow $1 saslauthd_t:process { ptrace signal_perms };
+ allow $1 saslauthd_t:process signal_perms;
ps_process_pattern($1, saslauthd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 saslauthd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 saslauthd_initrc_exec_t system_r;
diff --git a/sasl.te b/sasl.te
index 6c3bc20..14e8575 100644
--- a/sasl.te
+++ b/sasl.te
@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
#
##