##
@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
# create child processes in the domain
-allow domain self:process { fork sigchld };
+allow domain self:process { fork getsched sigchld };
# Use trusted objects in /dev
dev_rw_null(domain)
@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
+')
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
+ afs_rw_cache(domain)
+')
+
+optional_policy(`
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
+ libs_read_lib_files(domain)
')
optional_policy(`
@@ -125,6 +158,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
+ xserver_dontaudit_write_log(domain)
')
########################################
@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+optional_policy(`
+ seutil_dontaudit_read_config(domain)
+')
+
+optional_policy(`
+ init_sigchld(domain)
+ init_signull(domain)
+')
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
+# these seem questionable:
+
+optional_policy(`
+ abrt_domtrans_helper(domain)
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
+ abrt_stream_connect(domain)
+')
+
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_search_log(domain)
+ rpm_append_tmp_files(domain)
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
+')
+
+optional_policy(`
+ sosreport_append_tmp_files(domain)
+')
+
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
+')
+
+optional_policy(`
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+')
+
+optional_policy(`
+ hal_dontaudit_read_pid_files(domain)
+')
+
+optional_policy(`
+ ipsec_match_default_spd(domain)
+')
+
+optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
+')
+
+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 16108f6..0f1470f 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`distro_suse',`
@@ -57,6 +58,13 @@ ifdef(`distro_suse',`
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -89,7 +100,7 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT/\.journal <>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <>
@@ -153,6 +164,17 @@ HOME_ROOT/lost\+found/.* <>
/proc -d <>
/proc/.* <>
+ifdef(`distro_redhat',`
+/rhev -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev/[^/]*/.* <>
+')
+
+/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/run/.* gen_context(system_u:object_r:var_run_t,s0)
+/run/.*\.*pid <>
+/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
#
# /selinux
#
@@ -166,12 +188,6 @@ HOME_ROOT/lost\+found/.* <>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
-# /sys
-#
-/sys -d <>
-/sys/.* <>
-
-#
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -211,7 +227,6 @@ HOME_ROOT/lost\+found/.* <>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
@@ -227,6 +242,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
@@ -243,7 +260,7 @@ ifndef(`distro_redhat',`
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/.* <>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <>
@@ -252,3 +269,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/debug(/.*)? <>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 958ca84..a595aa7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1410,6 +1408,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
##
+## Set the attributes of all mount points.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_setattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir setattr;
+')
+
+########################################
+##
## Search all mount points.
##
##
@@ -1446,6 +1462,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
########################################
##
+## Do not audit listing of all mount points.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_list_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir list_dir_perms;
+')
+
+########################################
+##
+## Write all mount points.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir write;
+')
+
+########################################
+##
+## Write all file type directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_write_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir write;
+')
+
+########################################
+##
## List the contents of the root directory.
##
##
@@ -1731,6 +1801,24 @@ interface(`files_list_boot',`
allow $1 boot_t:dir list_dir_perms;
')
+#######################################
+##
+## Dontaudit List the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_list_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir list_dir_perms;
+')
+
########################################
##
## Create directories in /boot
@@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
+######################################
+##
+## Read symbolic links
+## in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ read_lnk_files_pattern($1, boot_t, boot_t)
+')
+
########################################
##
## Read and write symbolic links
@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',`
########################################
##
+## Remove entries from the etc directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+##
## Execute generic files in /etc.
##
##
@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',`
########################################
##
+## Delete a boot flag.
+##
+##
+##
+## Delete a boot flag, such as
+## /.autorelabel and /.autofsck.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_delete_boot_flag',`
+ gen_require(`
+ type root_t, etc_runtime_t;
+ ')
+
+ delete_files_pattern($1, root_t, etc_runtime_t)
+')
+
+########################################
+##
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
+## Do not audit attempts to set the attributes of the etc_runtime files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file setattr;
+')
+
+########################################
+##
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
+ allow $1 home_root_t:lnk_file getattr;
')
########################################
@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
+ dontaudit $1 home_root_t:lnk_file getattr;
')
########################################
@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
dontaudit $1 lost_found_t:dir getattr;
')
+#######################################
+##
+## List the contents of /tmp/lost-found
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_list_lost_found_dirs',`
+ gen_require(`
+ type lost_found_t;
+ ')
+
+ allow $1 lost_found_t:dir list_dir_perms;
+')
+
########################################
##
## Create, read, write, and delete objects in
@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
+######################################
+##
+## dontaudit List the contents of /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to check the
+## write access on mnt files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_access_check_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:file_class_set audit_access;
+')
+
########################################
##
## Mount a filesystem on /mnt.
@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
+######################################
+##
+## Read symbolic links in /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_mnt_symlinks',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ read_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+#######################################
+##
+## Read manageable system configuration files in /etc
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+######################################
+##
+## Manage manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+##
+## Relabel manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+##
+## Relabel manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
+##
+## Create files in /etc with the type used for
+## the manageable system config files.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
########################################
##
## Allow the specified type to associate
@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
+## Allow shared library text relocations in tmp files.
+##
+##
+##
+## Allow shared library text relocations in tmp files.
+##
+##
+## This is added to support java policy.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_execmod_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file execmod;
+')
+
+########################################
+##
## Manage temporary files and directories in /tmp.
##
##
@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
##
##
##
@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',`
##
##
#
-interface(`files_setattr_all_tmp_dirs',`
+interface(`files_relabelfrom_tmp_dirs',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
- allow $1 tmpfile:dir { search_dir_perms setattr };
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## List all tmp directories.
+## Relabel a file from the type used in /tmp.
##
##
##
@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',`
##
##
#
-interface(`files_list_all_tmp',`
+interface(`files_relabelfrom_tmp_files',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
- allow $1 tmpfile:dir list_dir_perms;
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Do not audit attempts to get the attributes
-## of all tmp files.
+## Relabel all tmp dirs.
##
##
##
-## Domain not to audit.
+## Domain allowed access.
##
##
+##
#
-interface(`files_dontaudit_getattr_all_tmp_files',`
+interface(`files_relabel_all_tmp_dirs',`
gen_require(`
attribute tmpfile;
+ type var_t;
')
- dontaudit $1 tmpfile:file getattr;
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
##
-## Allow attempts to get the attributes
-## of all tmp files.
+## Relabel all tmp files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`files_getattr_all_tmp_files',`
+interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+##
+## Set the attributes of all tmp directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+##
+## List all tmp directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of all tmp files.
+##
+##
+##
+## Domain not to audit.
+##
+##
+#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+##
+## Allow attempts to get the attributes
+## of all tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_getattr_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
@@ -4127,6 +4567,15 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
+ files_delete_isid_type_symlinks($1)
+ files_delete_isid_type_fifo_files($1)
+ files_delete_isid_type_sock_files($1)
+ files_delete_isid_type_blk_files($1)
+ files_delete_isid_type_chr_files($1)
')
########################################
@@ -4736,6 +5185,24 @@ interface(`files_read_var_files',`
########################################
##
+## Append files in the /var directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_append_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+##
## Read and write files in the /var directory.
##
##
@@ -5071,6 +5538,25 @@ interface(`files_manage_mounttab',`
########################################
##
+## List generic lock directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_list_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+##
## Search the locks directory (/var/lock).
##
##
@@ -5084,6 +5570,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
+ files_search_pids($1)
search_dirs_pattern($1, var_t, var_lock_t)
')
@@ -5108,6 +5595,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
+## create a directory in the /var/lock
+## directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir create_dir_perms;
+')
+
+########################################
+##
## Add and remove entries in the /var/lock
## directories.
##
@@ -5122,6 +5629,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
+ files_search_pids($1)
rw_dirs_pattern($1, var_t, var_lock_t)
')
@@ -5142,6 +5650,7 @@ interface(`files_getattr_generic_locks',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir list_dir_perms;
+ files_search_pids($1)
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -5156,12 +5665,13 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
- gen_require(`
+ gen_require(`
type var_t, var_lock_t;
- ')
+ ')
- allow $1 var_t:dir search_dir_perms;
- delete_files_pattern($1, var_lock_t, var_lock_t)
+ allow $1 var_t:dir search_dir_perms;
+ files_search_pids($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
@@ -5181,6 +5691,7 @@ interface(`files_manage_generic_locks',`
')
allow $1 var_t:dir search_dir_perms;
+ files_search_pids($1)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -5207,6 +5718,27 @@ interface(`files_delete_all_locks',`
########################################
##
+## Relabel all lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+ attribute lockfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, lockfile, lockfile)
+')
+
+########################################
+##
## Read all lock files.
##
##
@@ -5224,6 +5756,7 @@ interface(`files_read_all_locks',`
allow $1 { var_t var_lock_t }:dir search_dir_perms;
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
+ files_search_pids($1)
read_lnk_files_pattern($1, lockfile, lockfile)
')
@@ -5244,6 +5777,7 @@ interface(`files_manage_all_locks',`
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_pids($1)
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5276,6 +5810,7 @@ interface(`files_lock_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
+ files_search_pids($1)
filetrans_pattern($1, var_lock_t, $2, $3)
')
@@ -5335,6 +5870,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
+######################################
+##
+## Add and remove entries from pid directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir rw_dir_perms;
+')
+
+#######################################
+##
+## Create generic pid directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_var_run_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
########################################
##
## Do not audit attempts to search
@@ -5542,6 +6114,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
+## Relable all pid directories
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+##
+## Delete all pid sockets
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_unlink_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+##
+## manage all pidfile directories
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+
+########################################
+##
## Read all process ID files.
##
##
@@ -5559,6 +6187,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+##
+## Relable all pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+##
+## manage all pidfiles
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_files_pattern($1,pidfile,pidfile)
')
########################################
@@ -5844,3 +6510,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+##
+## Create a default directory
+##
+##
+##
+## Create a default_t direcrory
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir create;
+')
+
+########################################
+##
+## Create, default_t objects with an automatic
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object being created.
+##
+##
+#
+interface(`files_root_filetrans_default',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ filetrans_pattern($1, root_t, default_t, $2)
+')
+
+########################################
+##
+## manage generic symbolic links
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+##
+## Do not audit attempts to getattr
+## all tmpfs files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file getattr;
+')
+
+########################################
+##
+## Allow read write all tmpfs files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_rw_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file { read write };
+')
+
+########################################
+##
+## Do not audit attempts to read security files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
+########################################
+##
+## rw any files inherited from another process
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+##
+## Allow any file point to be the entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_entrypoint_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+ allow $1 file_type:file entrypoint;
+')
+
+########################################
+##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_all_non_security_leaks',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## all leaked files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_leaks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
+
+########################################
+##
+## Allow domain to create_file_ass all types
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_as_is_all_files',`
+ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
+ ')
+
+ allow $1 file_type:kernel_service create_files_as;
+')
+
+########################################
+##
+## Do not audit attempts to check the
+## write access on all files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_all_access_check',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file_class_set audit_access;
+')
+
+########################################
+##
+## Do not audit attempts to write to all files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_write_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 6e01635..207d34a 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
+attribute etcfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
@@ -58,12 +59,21 @@ files_type(etc_t)
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+#
+type system_conf_t, configfile;
+files_type(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
-type etc_runtime_t;
+type etc_runtime_t, configfile;
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
+files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 59bae6a..2e55e71 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -2,5 +2,16 @@
/dev/shm/.* <>
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup/.* <>
+/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/lib/udev/devices/hugepages/.* <>
+
+/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/lib/udev/devices/shm/.* <>
+
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup(/.*)? <>
+
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index dfe361a..5da5ee1 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
')
search_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
########################################
##
+## Relabelto cgroup directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_relabelto_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+##
## list cgroup directories.
##
##
@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
')
delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
')
write_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
')
rw_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -1052,6 +1079,24 @@ interface(`fs_list_noxattr_fs',`
########################################
##
+## Do not audit Read all noxattrfs directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_list_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ dontaudit $1 noxattrfs:dir list_dir_perms;
+')
+
+########################################
+##
## Create, read, write, and delete all noxattrfs directories.
##
##
@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',`
########################################
##
+## Read/Write all inherited noxattrfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_inherited_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Do not audit read all noxattrfs files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_read_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ dontaudit $1 noxattrfs:file read_file_perms;
+')
+
+########################################
+##
## Dont audit attempts to write to noxattrfs files.
##
##
@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
##
+## Read inherited files on a CIFS or SMB filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_inherited_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file read_inherited_file_perms;
+')
+
+########################################
+##
+## Read/Write inherited files on a CIFS or SMB filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_inherited_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
##
@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
- dontaudit $1 cifs_t:file rw_file_perms;
+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
')
########################################
@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
+########################################
+##
+## Make general progams in cifs an entrypoint for
+## the specified domain.
+##
+##
+##
+## The domain for which cifs_t is an entrypoint.
+##
+##
+#
+interface(`fs_cifs_entry_type',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ domain_entry_file($1, cifs_t)
+')
+
#######################################
##
## Create, read, write, and delete dirs
@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',`
########################################
##
+## list dirs
+## on a DOS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_list_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ list_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+##
## Create, read, write, and delete dirs
## on a DOS filesystem.
##
@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',`
########################################
##
+## Mounton a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mounton_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir mounton;
+')
+
+########################################
+##
## Search directories
## on a FUSEFS filesystem.
##
@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',`
########################################
##
+## Execute files on a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_exec_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir list_dir_perms;
+ exec_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+##
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
##
-## Read and write hugetlbfs files.
+## Get the attributes of an hugetlbfs
+## filesystem;
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+##
+## R/W hugetlbfs files.
##
##
##
@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
+########################################
+##
+## Manage hugetlbfs dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_manage_hugetlbfs_dirs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+##
+## List hugetlbfs dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_list_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
########################################
##
@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
+ fs_read_anon_inodefs_files($1)
')
########################################
@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',`
########################################
##
+## Make general progams in nfs an entrypoint for
+## the specified domain.
+##
+##
+##
+## The domain for which nfs_t is an entrypoint.
+##
+##
+#
+interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ domain_entry_file($1, nfs_t)
+')
+
+########################################
+##
## Append files
## on a NFS filesystem.
##
@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
##
+## Read inherited files on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file read_inherited_file_perms;
+')
+
+########################################
+##
+## Read/write inherited files on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
- dontaudit $1 nfs_t:file rw_file_perms;
+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
')
########################################
@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
##
+## Do not audit attempts to write removable storage files.
+##
+##
+##
+## Domain not to audit.
+##
+##
+#
+interface(`fs_dontaudit_write_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ dontaudit $1 removable_t:file write_file_perms;
+')
+
+########################################
+##
## Read removable storage symbolic links.
##
##
@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
+######################################
+##
+## Read block nodes on removable filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_removable_blk_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir list_dir_perms;
+ read_blk_files_pattern($1, removable_t, removable_t)
+')
+
########################################
##
## Read and write block nodes on removable filesystems.
@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
##
## Create, read, write, and delete symbolic links
-## on a CIFS or SMB network filesystem.
+## on a NFS network filesystem.
##
##
##
@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3989,6 +4334,78 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
+## dontaudit Read and write block nodes on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
+######################################
+##
+## Allow setattr on directory on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_setattr_tmpfs_dir',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ setattr_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+#######################################
+##
+## Create directory on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_create_tmpfs_dir',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ create_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+##
+## Relabelfrom directory on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_relabelfrom_tmpfs_dir',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+##
## Relabel character nodes on tmpfs filesystems.
##
##
@@ -4271,6 +4688,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
+# Mount checks write access on the dir
+ allow $1 filesystem_type:dir write;
')
########################################
@@ -4681,3 +5100,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
+
+########################################
+##
+## Do not audit attempts to read or write
+## all leaked filesystems files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_dontaudit_leaks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e49c148..4d6bbf4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+mls_trusted_object(anon_inodefs_t)
type bdev_t;
fs_type(bdev_t)
@@ -67,10 +68,11 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-type cgroup_t;
+type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
@@ -100,12 +102,22 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+dev_associate(hugetlbfs_t)
type ibmasmfs_t;
fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+#
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -148,6 +160,12 @@ fs_type(squash_t)
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
+type sysv_t;
+fs_noxattr_type(sysv_t)
+files_mountpoint(sysv_t)
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
+
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
+files_type(removable_t)
+dev_node(removable_t)
files_mountpoint(removable_t)
#
@@ -266,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 069d36c..78a81b3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
########################################
##
+## Manage information from the debugging filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_manage_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+##
## Mount a kernel VM filesystem.
##
##
@@ -863,6 +883,25 @@ interface(`kernel_dontaudit_write_proc_dirs',`
########################################
##
+## Do not audit attempts to setattr
+## directories in /proc.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_setattr_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:dir setattr;
+')
+
+########################################
+##
## Get the attributes of files in /proc.
##
##
@@ -2033,7 +2072,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
')
########################################
@@ -2436,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
+## Read and write unlabeled sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_rw_unlabeled_socket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
+########################################
+##
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
@@ -2580,7 +2637,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
- allow $1 unlabeled_t:packet { send recv };
+# allow $1 unlabeled_t:packet { send recv };
')
########################################
@@ -2754,6 +2811,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
+########################################
+##
+## Read/Write Raw IP packets from an unlabeled connection.
+##
+##
+##
+## Receive Raw IP packets from an unlabeled connection.
+##
+##
+## The corenetwork interface corenet_raw_recv_unlabeled() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_rw_unlabeled_rawip_socket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
########################################
##
@@ -2909,6 +2993,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
+## Relabel to unlabeled context .
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_relabelto_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+##
## Unconfined access to kernel module resources.
##
##
@@ -2924,3 +3026,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
+
+########################################
+##
+## Allow the specified domain to connect to
+## the kernel with a unix socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5001b89..160976e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
fs_type(debugfs_t)
+files_mountpoint(debugfs_t)
+
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -156,6 +158,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -254,7 +257,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
-term_use_console(kernel_t)
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -268,19 +272,28 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_socket_write_all_levels(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
+mls_file_downgrade(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
+
optional_policy(`
hotplug_search_config(kernel_t)
')
@@ -296,6 +309,11 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
+ logging_manage_generic_logs(kernel_t)
+')
+
+optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
')
optional_policy(`
@@ -357,6 +375,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
+optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..6bb6529 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',`
typeattribute $1 mcssetcats;
')
+
+########################################
+##
+## Make specified process type MCS untrusted.
+##
+##
+##
+## Make specified process type MCS untrusted. This
+## prevents this process from sending signals to other processes
+## with different mcs labels
+## object.
+##
+##
+##
+##
+## The type of the process.
+##
+##
+#
+interface(`mcs_untrusted_proc',`
+ gen_require(`
+ attribute mcsuntrustedproc;
+ ')
+
+ typeattribute $1 mcsuntrustedproc;
+')
+
+########################################
+##
+## Make specified domain MCS trusted
+## for writing to sockets at any level.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mcs_socket_write_all_levels',`
+ gen_require(`
+ attribute mcsnetwrite;
+ ')
+
+ typeattribute $1 mcsnetwrite;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..3168d72 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,5 @@ attribute mcsptraceall;
attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
+attribute mcsuntrustedproc;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 786449a..e8ebc76 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
# because of this statement, any module which
# calls this interface must be in the base module:
- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
')
########################################
@@ -257,6 +257,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
@@ -278,6 +279,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
@@ -358,6 +360,26 @@ interface(`selinux_load_policy',`
########################################
##
+## Allow caller to read the policy from the kernel.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`selinux_read_policy',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+ allow $1 security_t:security read_policy;
+')
+
+########################################
+##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy. (Deprecated)
##
@@ -459,6 +481,7 @@ interface(`selinux_set_all_booleans',`
')
allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:dir list_dir_perms;
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
@@ -677,3 +700,24 @@ interface(`selinux_unconfined',`
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+##
+## Generate a file context for a boolean type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
+
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index a9b8982..57c4a6a 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -12,6 +12,7 @@
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -77,3 +78,6 @@ ifdef(`distro_redhat', `
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 3723150..d6d1dbe 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+ #577012
+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
type fixed_disk_device_t;
')
+ allow $1 self:capability mknod;
+
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
dev_add_entry_generic_dirs($1)
')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 3994e57..a1923fe 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -6,6 +6,7 @@
/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -18,6 +19,7 @@
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index f3acfee..eceb42d 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
########################################
##
+## Read and write the inherited console, all inherited
+## ttys and ptys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`term_use_all_inherited_terms',`
+ gen_require(`
+ attribute ttynode, ptynode;
+ type console_device_t, devpts_t, tty_device_t;
+ ')
+
+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
+')
+
+########################################
+##
## Write to the console.
##
##
@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
##
##
-##
#
interface(`term_use_console',`
gen_require(`
@@ -299,9 +319,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -341,7 +363,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file { relabelfrom relabelto };
+ allow $1 console_device_t:chr_file relabel_chr_file_perms;
')
########################################
@@ -658,6 +680,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
+#######################################
+##
+## Allow attempts to get attributes
+## on the pty multiplexor (/dev/ptmx).
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`term_getattr_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ allow $1 ptmx_t:chr_file getattr;
+')
+
########################################
##
## Do not audit attempts to get attributes
@@ -842,6 +883,26 @@ interface(`term_use_all_ptys',`
########################################
##
+## Read and write all inherited ptys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`term_use_all_inherited_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
+')
+
+########################################
+##
## Do not audit attempts to read or write any ptys.
##
##
@@ -855,7 +916,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
')
########################################
@@ -1123,7 +1184,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
')
########################################
@@ -1222,7 +1283,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -1238,11 +1299,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
+ type tty_device_t;
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file getattr;
+ allow $1 tty_device_t:chr_file getattr;
')
########################################
@@ -1259,10 +1322,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
+ type tty_device_t;
')
dev_list_all_dev_nodes($1)
dontaudit $1 ttynode:chr_file getattr;
+ dontaudit $1 tty_device_t:chr_file getattr;
')
########################################
@@ -1301,7 +1366,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { relabelfrom relabelto };
+ allow $1 ttynode:chr_file relabel_chr_file_perms;
')
########################################
@@ -1340,7 +1405,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file rw_chr_file_perms;
+ allow $1 ttynode:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Read and write all inherited ttys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`term_use_all_inherited_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file rw_inherited_term_perms;
')
########################################
@@ -1359,7 +1444,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -1475,3 +1560,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
+
+#####################################
+##
+## Read from and write to the virtio console.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_use_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 361692e..0f09fb5 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
#
# devtty_t is the type of /dev/tty.
@@ -56,3 +57,9 @@ dev_node(tty_device_t)
#
type usbtty_device_t, serial_device;
dev_node(usbtty_device_t)
+
+#
+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
+#
+type virtio_device_t, serial_device;
+dev_node(virtio_device_t)
diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
new file mode 100644
index 0000000..f310b9d
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.fc
@@ -0,0 +1 @@
+# No unlabelednet file contexts.
diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
new file mode 100644
index 0000000..0ce0470
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.if
@@ -0,0 +1 @@
+## Policy for allowing confined domains to use unlabeled_t packets
diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
new file mode 100644
index 0000000..e1ebd1a
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.te
@@ -0,0 +1,3 @@
+policy_module(unlabelednet, 1.0)
+
+corenet_enable_unlabeled_packets()
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 0faef68..4264c9c 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
+selinux_read_policy(auditadm_t)
+
logging_send_syslog_msg(auditadm_t)
logging_read_generic_logs(auditadm_t)
logging_manage_audit_log(auditadm_t)
logging_manage_audit_config(auditadm_t)
logging_run_auditctl(auditadm_t, auditadm_r)
logging_run_auditd(auditadm_t, auditadm_r)
+logging_stream_connect_syslog(auditadm_t)
seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
optional_policy(`
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 1875064..e9c9277 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
@@ -58,3 +59,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 1cb7311..1de82b2 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -9,9 +9,15 @@ role guest_r;
userdom_restricted_user_template(guest)
+kernel_read_system_state(guest_t)
+
########################################
#
# Local policy
#
-#gen_user(guest_u,, guest_r, s0, s0)
+optional_policy(`
+ apache_role(guest_r, guest_t)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index be4de58..cce681a 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
userdom_unpriv_user_template(secadm)
userdom_security_admin_template(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..9440b5f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
+
+# needed for sandbox
+allow staff_t self:process setexec;
########################################
#
# Local policy
#
+kernel_read_ring_buffer(staff_usertype)
+kernel_getattr_core_if(staff_usertype)
+kernel_getattr_message_if(staff_usertype)
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+term_use_unallocated_ttys(staff_usertype)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
+miscfiles_read_hwdata(staff_usertype)
+
+ifndef(`enable_mls',`
+ selinux_read_policy(staff_t)
+')
+
+optional_policy(`
+ abrt_cache_read(staff_t)
+')
+
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -27,25 +63,138 @@ optional_policy(`
')
optional_policy(`
+ accountsd_dbus_chat(staff_t)
+ accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ colord_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ gnome_role(staff_r, staff_t)
+ gnome_role_gkeyringd(staff, staff_r, staff_t)
+ permissive staff_gkeyringd_t;
+')
+
+optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+ mock_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ logadm_role_change(staff_r)
+')
+
+optional_policy(`
+ mozilla_run_plugin(staff_t, staff_r)
+')
+
+optional_policy(`
+ modutils_read_module_config(staff_usertype)
+ modutils_read_module_deps(staff_usertype)
+')
+
+optional_policy(`
+ netutils_run_ping(staff_t, staff_r)
+ netutils_run_traceroute(staff_t, staff_r)
+ netutils_signal_ping(staff_t)
+ netutils_kill_ping(staff_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
+ mysql_exec(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
optional_policy(`
+ qemu_run(staff_t, staff_r)
+')
+
+optional_policy(`
+ rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(staff_usertype)
+')
+
+optional_policy(`
secadm_role_change(staff_r)
')
optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
+ sandbox_transition(staff_t, staff_r)
')
optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
+ screen_role_template(staff, staff_r, staff_t)
')
optional_policy(`
sysadm_role_change(staff_r)
userdom_dontaudit_use_user_terminals(staff_t)
')
+optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
+ ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
+ unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
+
+optional_policy(`
+ vnstatd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ webadm_role_change(staff_r)
+')
optional_policy(`
vlock_run(staff_t, staff_r)
@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- gnome_role(staff_r, staff_t)
- ')
-
- optional_policy(`
gpg_role(staff_r, staff_t)
')
@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
- ')
-
- optional_policy(`
spamassassin_role(staff_r, staff_t)
')
@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4a8d146..d721e34 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
#
# Local policy
#
+kernel_read_fs_sysctls(sysadm_t)
corecmd_exec_shell(sysadm_t)
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
+
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
+application_exec(sysadm_t)
+
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+
+miscfiles_read_hwdata(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_user_tmp_dirs(sysadm_t)
+userdom_manage_user_tmp_files(sysadm_t)
+userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
@@ -55,6 +75,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
+ logging_stream_connect_syslog(sysadm_t)
')
tunable_policy(`allow_ptrace',`
@@ -69,7 +90,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -98,6 +118,10 @@ optional_policy(`
')
optional_policy(`
+ certmonger_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
')
@@ -114,7 +138,7 @@ optional_policy(`
')
optional_policy(`
- cvs_exec(sysadm_t)
+ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -124,6 +148,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
ddcprobe_run(sysadm_t, sysadm_r)
')
@@ -163,6 +191,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(sysadm_t)
+ ')
')
optional_policy(`
@@ -170,15 +205,15 @@ optional_policy(`
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
')
optional_policy(`
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -198,18 +233,12 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
+ modutils_read_module_deps(sysadm_t)
')
optional_policy(`
mount_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
+ mount_run_showmount(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -225,6 +254,10 @@ optional_policy(`
')
optional_policy(`
+ ncftool_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
@@ -253,7 +286,7 @@ optional_policy(`
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
+ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -265,20 +298,14 @@ optional_policy(`
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
-optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
-')
optional_policy(`
rsync_exec(sysadm_t)
@@ -307,7 +334,7 @@ optional_policy(`
')
optional_policy(`
- spamassassin_role(sysadm_r, sysadm_t)
+ shutdown_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -332,10 +359,6 @@ optional_policy(`
')
optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -343,19 +366,15 @@ optional_policy(`
')
optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tzdata_domtrans(sysadm_t)
')
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
+ unconfined_domtrans(sysadm_t)
')
optional_policy(`
- unconfined_domtrans(sysadm_t)
+ udev_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -367,17 +386,14 @@ optional_policy(`
')
optional_policy(`
- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
')
+
optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
+ vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -389,7 +405,7 @@ optional_policy(`
')
optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
')
optional_policy(`
@@ -404,8 +420,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
+optional_policy(`
+ zebra_stream_connect(sysadm_t)
+')
+
ifndef(`distro_redhat',`
optional_policy(`
+ apache_role(sysadm_r, sysadm_t)
+ ')
+ optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
-')
+ optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
+')
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
index 0000000..0e8654b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
index 0000000..8b2cdf3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,687 @@
+## Unconfiend user role
+
+########################################
+##
+## Change from the unconfineduser role.
+##
+##
+##
+## Change from the unconfineduser role to
+## the specified role.
+##
+##
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`unconfined_role_change_to',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow unconfined_r $1;
+')
+
+########################################
+##
+## Transition to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ ')
+
+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+##
+## Execute specified programs in the unconfined domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to allow the unconfined domain.
+##
+##
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+')
+
+########################################
+##
+## Transition to the unconfined domain by executing a shell.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_shell_domtrans',`
+ gen_require(`
+ attribute unconfined_login_domain;
+ ')
+ typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+##
+## Allow unconfined to execute the specified program in
+## the specified domain.
+##
+##
+##
+## Allow unconfined to execute the specified program in
+## the specified domain.
+##
+##
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Domain to execute in.
+##
+##
+##
+##
+## Domain entry point file.
+##
+##
+#
+interface(`unconfined_domtrans_to',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+##
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+##
+##
+##
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+##
+##
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Domain to execute in.
+##
+##
+##
+##
+## Domain entry point file.
+##
+##
+#
+interface(`unconfined_run_to',`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+ role unconfined_r types $1;
+ userdom_use_user_terminals($1)
+')
+
+########################################
+##
+## Inherit file descriptors from the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_use_fds',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+##
+## Send a SIGCHLD signal to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+##
+## Send a SIGNULL signal to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_signull',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signull;
+')
+
+########################################
+##
+## Send a SIGNULL signal to the unconfined execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_signull',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+##
+## Send a signal to the unconfined execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_signal',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signal;
+')
+
+########################################
+##
+## Send generic signals to the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+##
+## Read unconfined domain unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read unconfined domain unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dontaudit_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+##
+## Read and write unconfined domain unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## unconfined domain unnamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## unconfined domain stream.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+##
+## Connect to the unconfined domain using
+## a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_stream_connect',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+##
+##
+##
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+##
+##
+## This interface was added due to a broken
+## symptom in ldconfig.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+##
+##
+##
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+##
+##
+## This interface was added due to a broken
+## symptom.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+##
+## Create keys for the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+##
+## Send messages to the unconfined domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## unconfined_t over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+##
+## Allow ptrace of unconfined domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+##
+## Read and write to unconfined shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Read and write to unconfined execmem shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Transition to the unconfined_execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
+##
+## execute the execmem applications
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_exec',`
+
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+########################################
+##
+## Allow apps to set rlimits on userdomain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+##
+## Get the process group of unconfined.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+##
+## Change to the unconfined role.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`unconfined_role_change',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow $1 unconfined_r;
+')
+
+########################################
+##
+## Allow domain to attach to TUN devices created by unconfined_t users.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_attach_tun_iface',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..77c513d
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,499 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+##
+##
+## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
+##
+##
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+##
+##
+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+##
+##
+gen_tunable(unconfined_mozilla_plugin_transition, false)
+
+##
+##
+## Allow vidio playing tools to tun unconfined
+##
+##
+gen_tunable(unconfined_mplayer, false)
+
+##
+##
+## Allow a user to login as an unconfined domain
+##
+##
+gen_tunable(unconfined_login, true)
+
+##
+##
+## Transition to confined qemu domains from unconfined user
+##
+##
+gen_tunable(allow_unconfined_qemu_transition, false)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+kernel_rw_unlabeled_socket(unconfined_t)
+kernel_rw_unlabeled_rawip_socket(unconfined_t)
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+optional_policy(`
+ mount_run_unconfined(unconfined_t, unconfined_r)
+ # Unconfined running as system_r
+ mount_domtrans_unconfined(unconfined_t)
+')
+
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain_noaudit(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(unconfined_usertype)
+')
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
+
+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans(unconfined_usertype)
+ nsplugin_domtrans_config(unconfined_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ avahi_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ certmonger_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role(unconfined_r, unconfined_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(unconfined_usertype)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
+ ')
+
+ optional_policy(`
+ sandbox_transition(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ shutdown_run(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
+ tzdata_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_usertype)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ accountsd_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ alsa_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ chrome_role(unconfined_r, unconfined_usertype)
+')
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+ ')
+
+ init_dbus_chat(unconfined_usertype)
+ init_dbus_chat_script(unconfined_usertype)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat_config(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(unconfined_usertype)
+')
+
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ mock_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ mono_role_template(unconfined, unconfined_r, unconfined_t)
+ unconfined_domain_noaudit(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
+')
+
+
+optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
+ mozilla_domtrans_plugin(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+# ppp_run(unconfined_t, unconfined_r)
+#')
+
+optional_policy(`
+ qemu_unconfined_role(unconfined_r)
+
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_domtrans(unconfined_t)
+ ',`
+ qemu_domtrans_unconfined(unconfined_t)
+ ')
+')
+
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ optional_policy(`
+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+ ')
+
+ samba_role_notrans(unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ wine_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+optional_policy(`
+ execmem_role_template(unconfined, unconfined_r, unconfined_t)
+ typealias unconfined_execmem_t alias execmem_t;
+ typealias unconfined_execmem_t alias unconfined_openoffice_t;
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
+ role system_r types unconfined_execmem_t;
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ tunable_policy(`unconfined_login',`
+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e5bfdd4..10d03a3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,67 @@ role user_r;
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(user_usertype)
+')
+
+optional_policy(`
+ abrt_cache_read(user_t)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
optional_policy(`
+ colord_dbus_chat(user_t)
+')
+
+optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
+ mozilla_run_plugin(user_t, user_r)
+')
+
+optional_policy(`
+ netutils_run_ping_cond(user_t, user_r)
+ netutils_run_traceroute_cond(user_t, user_r)
+')
+
+optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(user_t)
+')
+
+optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(user_r, user_t)
+')
+
+optional_policy(`
vlock_run(user_t, user_r)
')
@@ -62,10 +114,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- gnome_role(user_r, user_t)
- ')
-
- optional_policy(`
gpg_role(user_r, user_t)
')
@@ -118,7 +166,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- spamassassin_role(user_r, user_t)
+ spamassassin_role(user_r, user_t)
')
optional_policy(`
@@ -157,3 +205,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0ecc786..dbf2710 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f..9d37855 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
##
##
-## Allow xguest to configure Network Manager
+## Allow xguest users to configure Network Manager and connect to apache ports
##
##
gen_tunable(xguest_connect_network, true)
##
##
-## Allow xguest to use blue tooth devices
+## Allow xguest users to use blue tooth devices
##
##
gen_tunable(xguest_use_bluetooth, true)
@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
########################################
#
# Local policy
#
-
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
@@ -49,11 +49,23 @@ ifndef(`enable_mls',`
')
')
+optional_policy(`
+ # Dontaudit fusermount
+ mount_dontaudit_exec_fusermount(xguest_t)
+')
+
+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
+')
+
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
-
+ kernel_request_load_module(xguest_t)
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
@@ -62,10 +74,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
-
- init_read_utmp(xguest_t)
')
')
@@ -76,23 +87,98 @@ optional_policy(`
')
optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
+optional_policy(`
hal_dbus_chat(xguest_t)
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
')
optional_policy(`
tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_usertype)
+
networkmanager_dbus_chat(xguest_t)
- corenet_tcp_connect_pulseaudio_port(xguest_t)
- corenet_tcp_connect_ipp_port(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+ corenet_all_recvfrom_unlabeled(xguest_usertype)
+ corenet_all_recvfrom_netlabel(xguest_usertype)
+ corenet_tcp_sendrecv_generic_if(xguest_usertype)
+ corenet_raw_sendrecv_generic_if(xguest_usertype)
+ corenet_tcp_sendrecv_generic_node(xguest_usertype)
+ corenet_raw_sendrecv_generic_node(xguest_usertype)
+ corenet_tcp_sendrecv_http_port(xguest_usertype)
+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
+ corenet_tcp_sendrecv_squid_port(xguest_usertype)
+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+ corenet_tcp_connect_http_port(xguest_usertype)
+ corenet_tcp_connect_http_cache_port(xguest_usertype)
+ corenet_tcp_connect_squid_port(xguest_usertype)
+ corenet_tcp_connect_flash_port(xguest_usertype)
+ corenet_tcp_connect_ftp_port(xguest_usertype)
+ corenet_tcp_connect_ipp_port(xguest_usertype)
+ corenet_tcp_connect_generic_port(xguest_usertype)
+ corenet_tcp_connect_soundd_port(xguest_usertype)
+ corenet_sendrecv_http_client_packets(xguest_usertype)
+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
+ corenet_sendrecv_squid_client_packets(xguest_usertype)
+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
+ corenet_sendrecv_generic_client_packets(xguest_usertype)
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
')
+
+ optional_policy(`
+ telepathy_dbus_session_role(xguest_r, xguest_t)
+ ')
+')
+
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
index 1bd5812..3b3ba64 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
@@ -15,6 +15,7 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c5..9a82e8d 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
type abrt_t;
')
+ kernel_search_proc($1)
ps_process_pattern($1, abrt_t)
')
@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
')
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -160,8 +165,44 @@ interface(`abrt_run_helper',`
########################################
##
-## Send and receive messages from
-## abrt over dbus.
+## Read abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_cache_read',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+##
+## Append abrt cache
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_cache_append',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+##
+## Manage abrt cache
##
##
##
@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
+########################################
+##
+## Read and write abrt fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
#####################################
##
## All of the rules required to administrate
@@ -286,18 +345,18 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, abrt_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
- files_search_var($1)
+ files_list_var($1)
admin_pattern($1, abrt_var_cache_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 30861ec..de61315 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
# Declarations
#
+##
+##
+## Allow ABRT to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(abrt_anon_write, false)
+
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
@@ -48,9 +56,9 @@ ifdef(`enable_mcs',`
# abrt local policy
#
-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -59,6 +67,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
@@ -69,6 +78,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -82,7 +92,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
@@ -113,7 +123,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
-files_read_etc_files(abrt_t)
+files_read_config_files(abrt_t)
+files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
@@ -121,6 +132,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -131,7 +144,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_read_config(abrt_t)
+sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
@@ -140,6 +153,15 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
+ apache_read_modules(abrt_t)
+')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
@@ -150,6 +172,11 @@ optional_policy(`
')
optional_policy(`
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
@@ -167,6 +194,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
+ rpm_manage_log(abrt_t)
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
@@ -178,12 +206,18 @@ optional_policy(`
')
optional_policy(`
+ sosreport_domtrans(abrt_t)
+ sosreport_read_tmp_files(abrt_t)
+ sosreport_delete_tmp_files(abrt_t)
+')
+
+optional_policy(`
sssd_stream_connect(abrt_t)
')
########################################
#
-# abrt--helper local policy
+# abrt-helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
')
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run accountsd.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`accountsd_domtrans',`
@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
type accountsd_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms getattr };
+ allow $1 accountsd_t:process { ptrace signal_perms };
ps_process_pattern($1, accountsd_t)
accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f10..f6e570c 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
@@ -32,6 +34,7 @@ files_read_usr_files(accountsd_t)
files_read_mnt_files(accountsd_t)
fs_list_inotifyfs(accountsd_t)
+fs_getattr_xattr_fs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
auth_use_nsswitch(accountsd_t)
@@ -55,3 +58,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 8559cdc..49c0cc8 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -97,8 +97,8 @@ interface(`afs_admin',`
type afs_t, afs_initrc_exec_t;
')
- allow $1 afs_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, afs_t, afs_t)
+ allow $1 afs_t:process { ptrace signal_perms };
+ ps_process_pattern($1, afs_t)
# Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index a496fde..847609a 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t)
sysnet_dns_name_resolve(afs_t)
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
########################################
#
# AFS bossserver local policy
diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
new file mode 100644
index 0000000..069518f
--- /dev/null
+++ b/policy/modules/services/aiccu.fc
@@ -0,0 +1,6 @@
+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
new file mode 100644
index 0000000..6bf0ad6
--- /dev/null
+++ b/policy/modules/services/aiccu.if
@@ -0,0 +1,116 @@
+## Automatic IPv6 Connectivity Client Utility.
+
+########################################
+##
+## Execute a domain transition to run aiccu.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`aiccu_domtrans',`
+ gen_require(`
+ type aiccu_t, aiccu_exec_t;
+ ')
+
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+##
+## Execute aiccu server in the aiccu domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`aiccu_initrc_domtrans',`
+ gen_require(`
+ type aiccu_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+##
+## Read aiccu PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`aiccu_read_pid_files',`
+ gen_require(`
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Manage aiccu PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`aiccu_manage_var_run',`
+ gen_require(`
+ type aiccu_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an aiccu environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`aiccu_admin',`
+ gen_require(`
+ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aiccu_t)
+
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, aiccu_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, aiccu_var_run_t)
+ files_list_pids($1)
+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644
index 0000000..dda9c93
--- /dev/null
+++ b/policy/modules/services/aiccu.te
@@ -0,0 +1,75 @@
+policy_module(aiccu, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill net_admin net_raw };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+optional_policy(`
+ modutils_domtrans_insmod(aiccu_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(aiccu_t)
+ sysnet_dns_name_resolve(aiccu_t)
+')
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 838d25b..0b0db39 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
## The role to allow the AIDE domain.
##
##
+##
#
interface(`aide_run',`
gen_require(`
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index 2509dd2..615e957 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -39,4 +39,4 @@ logging_send_syslog_msg(aide_t)
seutil_use_newrole_fds(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
index 0370dba..af5d229 100644
--- a/policy/modules/services/aisexec.if
+++ b/policy/modules/services/aisexec.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run aisexec.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 97c9cae..c24bd66 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
# aisexec local policy
#
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
miscfiles_read_localization(aisexec_t)
+userdom_rw_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
optional_policy(`
ccs_stream_connect(aisexec_t)
')
diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
--- /dev/null
+++ b/policy/modules/services/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644
index 0000000..0f3fc36
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
@@ -0,0 +1,86 @@
+## policy for ajaxterm
+
+########################################
+##
+## Execute a domain transition to run ajaxterm.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ajaxterm_domtrans',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_exec_t;
+ ')
+
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+##
+## Execute ajaxterm server in the ajaxterm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ajaxterm_initrc_domtrans',`
+ gen_require(`
+ type ajaxterm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+##
+## Read and write the ajaxterm pty type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ajaxterm_rw_ptys',`
+ gen_require(`
+ type ajaxterm_devpts_t;
+ ')
+
+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ajaxterm environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ajaxterm_t)
+
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
index 0000000..3d0fd88
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
@@ -0,0 +1,64 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+files_read_etc_files(ajaxterm_t)
+files_read_usr_files(ajaxterm_t)
+
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index ceb2142..e31d92a 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
type amavis_var_run_t;
')
- allow $1 amavis_var_run_t:file setattr;
+ allow $1 amavis_var_run_t:file setattr_file_perms;
files_search_pids($1)
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index c3a1903..19fb14a 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -47,7 +47,7 @@ files_type(amavis_spool_t)
allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
-allow amavis_t self:process { signal sigchld signull };
+allow amavis_t self:process { signal sigchld sigkill signull };
allow amavis_t self:fifo_file rw_fifo_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
# tmp files
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-allow amavis_t amavis_tmp_t:dir setattr;
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
# var/lib files for amavis
@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
files_search_var_lib(amavis_t)
# log files
-allow amavis_t amavis_var_log_t:dir setattr;
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
+corecmd_exec_shell(amavis_t)
corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
@@ -152,24 +153,32 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
-# Cron handling
-cron_use_fds(amavis_t)
-cron_use_system_job_fds(amavis_t)
-cron_rw_pipes(amavis_t)
-
-mta_read_config(amavis_t)
-
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
')
optional_policy(`
+ #Cron handling
+ cron_use_fds(amavis_t)
+ cron_use_system_job_fds(amavis_t)
+ cron_rw_pipes(amavis_t)
+')
+
+optional_policy(`
dcc_domtrans_client(amavis_t)
dcc_stream_connect_dccifd(amavis_t)
')
optional_policy(`
+ mta_read_config(amavis_t)
+')
+
+optional_policy(`
+ nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
postfix_read_config(amavis_t)
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..7ba3b11 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -43,8 +42,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -74,7 +74,8 @@ ifdef(`distro_suse', `
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 6480167..09c61a0 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent;
- attribute httpd_exec_scripts;
- attribute httpd_script_exec_type;
+ attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write, false)
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t; # customizable;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
@@ -36,32 +32,32 @@ template(`apache_content_template',`
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
+ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ apache_dontaudit_leaks(httpd_$1_script_t)
# Allow the script process to search the cgi directory, and users directory
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
@@ -86,7 +82,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -95,6 +90,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
@@ -108,19 +104,6 @@ template(`apache_content_template',`
seutil_dontaudit_search_config(httpd_$1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- can_exec(httpd_$1_script_t, httpdcontent)
- ')
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -140,26 +123,36 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
@@ -172,6 +165,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
')
optional_policy(`
@@ -182,10 +176,6 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_$1_script_t)
- ')
')
optional_policy(`
@@ -211,9 +201,8 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
- type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
@@ -234,6 +223,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
@@ -248,6 +244,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ apache_exec_modules($2)
+
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
@@ -317,6 +315,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+######################################
+##
+## Allow the specified domain to execute apache
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_exec',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ can_exec($1, httpd_exec_t)
+')
+
#######################################
##
## Send a generic signal to apache.
@@ -405,7 +422,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -487,7 +504,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
- allow $1 httpd_cache_t:dir setattr;
+ allow $1 httpd_cache_t:dir setattr_dir_perms;
')
########################################
@@ -531,6 +548,25 @@ interface(`apache_rw_cache_files',`
########################################
##
## Allow the specified domain to delete
+## Apache cache dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_delete_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+##
+## Allow the specified domain to delete
## Apache cache.
##
##
@@ -549,6 +585,26 @@ interface(`apache_delete_cache_files',`
########################################
##
+## Allow the specified domain to search
+## apache configuration dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_search_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir search_dir_perms;
+')
+
+########################################
+##
## Allow the specified domain to read
## apache configuration files.
##
@@ -699,7 +755,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
- dontaudit $1 httpd_log_t:file { getattr append };
+ dontaudit $1 httpd_log_t:file append_file_perms;
')
########################################
@@ -745,6 +801,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
+## Allow the specified domain to read
+## the apache module directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_read_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+')
+
+########################################
+##
## Allow the specified domain to list
## the contents of the apache modules
## directory.
@@ -761,6 +836,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
@@ -819,6 +895,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
@@ -846,6 +923,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
+######################################
+##
+## Allow the specified domain to read
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+##
+## Allow the specified domain to manage
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+##
+## Allow the specified domain to delete
+## apache system content rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
########################################
##
## Execute all web scripts in the system
@@ -862,7 +1007,11 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
##
##
##
-## Role allowed access..
+## Role allowed access.
##
##
+##
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
+######################################
+##
+## Dontaudit attempts to read and write
+## apache tmp files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
########################################
##
## Dontaudit attempts to write
@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
- dontaudit $1 httpd_tmp_t:file write_file_perms;
+ dontaudit $1 httpd_tmp_t:file write;
')
########################################
@@ -1170,17 +1339,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
- attribute httpdcontent;
- attribute httpd_script_exec_type;
-
+ attribute httpdcontent, httpd_script_exec_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t;
- type httpd_var_run_t, httpd_php_tmp_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
+ allow $1 httpd_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
@@ -1191,10 +1357,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1205,14 +1371,43 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
- kernel_search_proc($1)
- allow $1 httpd_t:dir list_dir_perms;
-
- read_lnk_files_pattern($1, httpd_t, httpd_t)
-
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
+ seutil_setsebool_role_template($1, $3, $2)
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+ ')
+')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 3136c6a..1bf05a6 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
-##
-## Allow Apache to modify public files
-## used for public file transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+##
##
gen_tunable(allow_httpd_anon_write, false)
##
-##
-## Allow Apache to use mod_auth_pam
-##
+##
+## Allow Apache to use mod_auth_pam
+##
##
gen_tunable(allow_httpd_mod_auth_pam, false)
##
-##
-## Allow httpd to use built in scripting (usually php)
-##
+##
+## Allow Apache to use mod_auth_ntlm_winbind
+##
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+
+##
+##
+## Allow httpd scripts and modules execmem/execstack
+##
+##
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow httpd daemon to change system limits
+##
+##
+gen_tunable(httpd_setrlimit, false)
+
+##
+##
+## Allow httpd to use built in scripting (usually php)
+##
##
gen_tunable(httpd_builtin_scripting, false)
##
-##
-## Allow HTTPD scripts and modules to connect to the network using TCP.
-##
+##
+## Allow HTTPD scripts and modules to connect to the network using any TCP port.
+##
##
gen_tunable(httpd_can_network_connect, false)
##
-##
-## Allow HTTPD scripts and modules to connect to databases over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##
+##
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+##
+##
+## Allow HTTPD scripts and modules to connect to databases over the network.
+##
##
gen_tunable(httpd_can_network_connect_db, false)
##
-##
-## Allow httpd to act as a relay
-##
+##
+## Allow httpd to connect to memcache server
+##
+##
+gen_tunable(httpd_can_network_memcache, false)
+
+##
+##
+## Allow httpd to act as a relay
+##
##
gen_tunable(httpd_can_network_relay, false)
##
-##
-## Allow http daemon to send mail
-##
+##
+## Allow http daemon to send mail
+##
##
gen_tunable(httpd_can_sendmail, false)
##
-##
-## Allow Apache to communicate with avahi service via dbus
-##
+##
+## Allow http daemon to check spam
+##
+##
+gen_tunable(httpd_can_check_spam, false)
+
+##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
##
gen_tunable(httpd_dbus_avahi, false)
##
-##
-## Allow httpd cgi support
-##
+##
+## Allow httpd to execute cgi scripts
+##
##
gen_tunable(httpd_enable_cgi, false)
##
-##
-## Allow httpd to act as a FTP server by
-## listening on the ftp port.
-##
+##
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+##
##
gen_tunable(httpd_enable_ftp_server, false)
##
-##
-## Allow httpd to read home directories
-##
+##
+## Allow httpd to read home directories
+##
##
gen_tunable(httpd_enable_homedirs, false)
##
-##
-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
-##
+##
+## Allow httpd to read user content
+##
+##
+gen_tunable(httpd_read_user_content, false)
+
+##
+##
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
gen_tunable(httpd_ssi_exec, false)
##
-##
-## Unify HTTPD to communicate with the terminal.
-## Needed for entering the passphrase for certificates at
-## the terminal.
-##
+##
+## Allow Apache to execute tmp content.
+##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
+##
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+##
##
gen_tunable(httpd_tty_comm, false)
##
-##
-## Unify HTTPD handling of all content files.
-##
+##
+## Unify HTTPD handling of all content files.
+##
##
gen_tunable(httpd_unified, false)
##
-##
-## Allow httpd to access cifs file systems
-##
+##
+## Allow httpd to access cifs file systems
+##
##
gen_tunable(httpd_use_cifs, false)
##
-##
-## Allow httpd to run gpg
-##
+##
+## Allow httpd to run gpg in gpg-web domain
+##
##
gen_tunable(httpd_use_gpg, false)
##
-##
-## Allow httpd to access nfs file systems
-##
+##
+## Allow httpd to access nfs file systems
+##
##
gen_tunable(httpd_use_nfs, false)
+##
+##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -166,7 +231,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
-files_type(httpd_config_t)
+files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -355,6 +441,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -365,8 +452,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
@@ -378,12 +467,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -391,6 +480,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
+files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
@@ -402,6 +492,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
@@ -416,34 +510,73 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
+
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
+
+optional_policy(`
+ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracledb_port(httpd_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_squid_port(httpd_t)
corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -456,6 +589,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -466,15 +603,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_t)
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
@@ -484,7 +633,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
@@ -499,9 +657,11 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
optional_policy(`
@@ -513,7 +673,13 @@ optional_policy(`
')
optional_policy(`
- cobbler_search_lib(httpd_t)
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+ cobbler_read_lib_files(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
optional_policy(`
@@ -528,7 +694,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -537,8 +714,13 @@ optional_policy(`
')
optional_policy(`
+ git_read_generic_system_content_files(httpd_t)
+ gitosis_read_lib_files(httpd_t)
+')
+
+optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+ gpg_domtrans_web(httpd_t)
')
')
@@ -556,7 +738,13 @@ optional_policy(`
')
optional_policy(`
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
+
+optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -567,6 +755,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -577,6 +766,16 @@ optional_policy(`
')
optional_policy(`
+ passenger_domtrans(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+ passenger_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
@@ -591,6 +790,11 @@ optional_policy(`
')
optional_policy(`
+ smokeping_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -603,6 +807,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
########################################
#
# Apache helper local policy
@@ -616,7 +825,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
+
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_inherited_user_terminals(httpd_helper_t)
+')
########################################
#
@@ -654,28 +867,29 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
-
- corenet_tcp_connect_mssql_port(httpd_t)
- corenet_sendrecv_mssql_client_packets(httpd_t)
- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracledb_port(httpd_php_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_php_t)
')
optional_policy(`
mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
')
optional_policy(`
postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
')
########################################
@@ -699,17 +913,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -740,13 +959,26 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracledb_port(httpd_suexec_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
@@ -769,6 +1001,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
+optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_suexec_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_suexec_t)
+ postgresql_unpriv_client(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_suexec_t)
+ ')
+')
+
########################################
#
# Apache system script local policy
@@ -789,12 +1040,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
+files_read_var_symlinks(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
+
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+auth_use_nsswitch(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
@@ -803,18 +1059,49 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
+ ')
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
- corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
@@ -822,14 +1109,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_sys_script_t)
+ userdom_search_user_home_dirs(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -842,10 +1144,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
########################################
@@ -891,11 +1203,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
+')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
')
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index cd07b96..a87d1dd 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
@@ -13,3 +13,4 @@
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index d052bf0..ec55314 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -87,13 +87,17 @@ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
')
optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+')
+
+optional_policy(`
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
index 1ea99b2..49e6c74 100644
--- a/policy/modules/services/apm.if
+++ b/policy/modules/services/apm.if
@@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
type apmd_t;
')
- allow $1 apmd_t:fifo_file write;
+ allow $1 apmd_t:fifo_file write_fifo_file_perms;
')
########################################
@@ -89,7 +89,7 @@ interface(`apm_append_log',`
')
logging_search_logs($1)
- allow $1 apmd_log_t:file append;
+ allow $1 apmd_log_t:file append_file_perms;
')
########################################
@@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
')
files_search_pids($1)
- allow $1 apmd_var_run_t:sock_file write;
- allow $1 apmd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 1c8c27e..6ddb10d 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
#
# Declarations
#
+
type apmd_t;
type apmd_exec_t;
init_daemon_domain(apmd_t, apmd_exec_t)
@@ -45,7 +46,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:netlink_socket create_socket_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+dev_read_input(apmd_t)
+dev_read_mouse(apmd_t)
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
-modutils_domtrans_insmod(apmd_t)
-modutils_read_module_config(apmd_t)
-
seutil_dontaudit_read_config(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
@@ -142,9 +143,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
+ fstools_domtrans(apmd_t)
')
optional_policy(`
@@ -155,6 +155,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+ sssd_search_lib(apmd_t)
+ ')
+
+ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
@@ -205,6 +214,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(apmd_t)
+ modutils_read_module_config(apmd_t)
+')
+
+optional_policy(`
pcmcia_domtrans_cardmgr(apmd_t)
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -218,9 +232,9 @@ optional_policy(`
udev_read_state(apmd_t) #necessary?
')
-optional_policy(`
- unconfined_domain(apmd_t)
-')
+#optional_policy(`
+# unconfined_domain(apmd_t)
+#')
optional_policy(`
vbetool_domtrans(apmd_t)
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index c804110..bdefbe1 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
type arpwatch_initrc_exec_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+ allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
arpwatch_initrc_domtrans($1)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 804135f..af04567 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
kernel_read_network_state(arpwatch_t)
+# meminfo
+kernel_read_system_state(arpwatch_t)
kernel_read_kernel_sysctls(arpwatch_t)
-kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 8b8143e..c1a2b96 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
type asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms getattr };
+ allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b3b0176..51cb893 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -108,6 +109,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_festival_port(asterisk_t)
+corenet_tcp_connect_pktcable_port(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..a43e006 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
##
##
#
-#
interface(`automount_signal',`
gen_require(`
type automount_t;
@@ -68,7 +67,8 @@ interface(`automount_read_state',`
type automount_t;
')
- read_files_pattern($1, automount_t, automount_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, automount_t)
')
########################################
@@ -123,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
type automount_tmp_t;
')
- dontaudit $1 automount_tmp_t:dir getattr;
+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
')
########################################
@@ -149,7 +149,7 @@ interface(`automount_admin',`
type automount_var_run_t, automount_initrc_exec_t;
')
- allow $1 automount_t:process { ptrace signal_perms getattr };
+ allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 39799db..d174b05 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -143,9 +143,6 @@ logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
-# Run mount in the mount_t domain.
-mount_domtrans(automount_t)
-mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
@@ -155,6 +152,13 @@ optional_policy(`
')
optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 61c74bc..c6b0498 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
class dbus send_msg;
')
+ allow avahi_t $1:file read;
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index a7a0e71..5352ef6 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
########################################
#
@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
+kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
@@ -104,6 +106,10 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_signull(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 44a1e3d..7e9d2fb 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -186,7 +186,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
- allow $1 named_conf_t:file setattr;
+ allow $1 named_conf_t:file setattr_file_perms;
')
########################################
@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
- allow $1 named_var_run_t:dir setattr;
+ allow $1 named_var_run_t:dir setattr_dir_perms;
')
########################################
@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
- allow $1 named_zone_t:dir setattr;
+ allow $1 named_zone_t:dir setattr_dir_perms;
')
########################################
@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
########################################
##
+## Read BIND zone files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+##
## Manage BIND zone files.
##
##
@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_lib_t, named_var_run_t;
- type named_cache_t, named_zone_t;
- type dnssec_t, ndc_t;
- type named_initrc_exec_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
')
allow $1 named_t:process { ptrace signal_perms };
@@ -391,8 +411,7 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
- files_list_var_lib($1)
- admin_pattern($1, named_var_lib_t)
+ admin_pattern($1, named_keytab_t)
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04..256bd70 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0)
#
##
-##
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS or zone transfers.
-##
+##
+## Allow BIND to bind apache port.
+##
+##
+gen_tunable(named_bind_http_port, false)
+
+##
+##
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS or zone transfers.
+##
##
gen_tunable(named_write_master_zones, false)
@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
# A type for configuration files of named.
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
+tunable_policy(`named_bind_http_port',`
+ corenet_tcp_bind_http_port(named_t)
+')
+
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
-allow ndc_t dnssec_t:lnk_file { getattr read };
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
-allow ndc_t named_conf_t:lnk_file { getattr read };
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -238,13 +250,13 @@ miscfiles_read_localization(ndc_t)
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
-userdom_use_user_terminals(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
term_dontaudit_use_console(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
- allow ndc_t named_conf_t:dir search;
+ allow ndc_t named_conf_t:dir search_dir_perms;
')
optional_policy(`
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
index 0197980..f8bce2c 100644
--- a/policy/modules/services/bitlbee.fc
+++ b/policy/modules/services/bitlbee.fc
@@ -4,3 +4,6 @@
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
+
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index f4e7ad3..68aebc4 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
type bitlbee_var_t;
files_type(bitlbee_var_t)
+type bitlbee_var_run_t;
+files_type(bitlbee_var_run_t)
+
########################################
#
# Local policy
#
-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
+allow bitlbee_t self:capability { setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
-allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
bitlbee_read_config(bitlbee_t)
# tmp files
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
+
kernel_read_system_state(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_bind_generic_node(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..fa57a6f 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
## User domain for the role
##
##
+##
#
interface(`bluetooth_role',`
gen_require(`
@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process signal;
+ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
type bluetooth_conf_t;
')
- allow $1 bluetooth_conf_t:file { getattr read ioctl };
+ allow $1 bluetooth_conf_t:file read_file_perms;
')
########################################
@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',`
########################################
##
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',`
########################################
##
-## Read bluetooth helper state files.
+## Do not audit attempts to read bluetooth helper state files.
##
##
##
@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
type bluetooth_helper_t;
')
- dontaudit $1 bluetooth_helper_t:dir search;
- dontaudit $1 bluetooth_helper_t:file { read getattr };
+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
')
########################################
@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
- type bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process { ptrace signal_perms };
@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
- files_list_spool($1)
- admin_pattern($1, bluetooth_spool_t)
-
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 215b86b..4a3569f 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
#
# Declarations
#
+
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
type bluetooth_conf_t;
-files_type(bluetooth_conf_t)
+files_config_file(bluetooth_conf_t)
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
#search debugfs - redhat bug 548206
kernel_search_debugfs(bluetooth_t)
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_socket(bluetooth_t)
+ dev_rw_generic_chr_files(bluetooth_t)
+')
+
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_generic_if(bluetooth_t)
@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
+ devicekit_dbus_chat_power(bluetooth_t)
+')
+
+optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
--- /dev/null
+++ b/policy/modules/services/boinc.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
index 0000000..fa9b95a
--- /dev/null
+++ b/policy/modules/services/boinc.if
@@ -0,0 +1,150 @@
+## policy for boinc
+
+########################################
+##
+## Execute a domain transition to run boinc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
+##
+## Search boinc lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Manage boinc var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an boinc environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
index 0000000..11ad49a
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,171 @@
+policy_module(boinc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
+dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
+
+init_read_utmp(boinc_t)
+
+miscfiles_read_localization(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
+
+########################################
+#
+# boinc-projects local policy
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+allow boinc_project_t self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
+corecmd_exec_bin(boinc_project_t)
+corecmd_exec_shell(boinc_project_t)
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
+dev_read_rand(boinc_project_t)
+dev_read_urand(boinc_project_t)
+dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
+files_read_etc_runtime_files(boinc_project_t)
+files_read_usr_files(boinc_project_t)
+
+miscfiles_read_fonts(boinc_project_t)
+miscfiles_read_localization(boinc_project_t)
+
+optional_policy(`
+ java_exec(boinc_project_t)
+')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
new file mode 100644
index 0000000..18f37e2
--- /dev/null
+++ b/policy/modules/services/bugzilla.fc
@@ -0,0 +1,4 @@
+
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
new file mode 100644
index 0000000..3964548
--- /dev/null
+++ b/policy/modules/services/bugzilla.if
@@ -0,0 +1,80 @@
+## Bugzilla server
+
+########################################
+##
+## Allow the specified domain to search
+## bugzilla directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bugzilla_search_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## bugzilla script unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an bugzilla environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the bugzilla domain.
+##
+##
+##
+#
+interface(`bugzilla_admin',`
+ gen_require(`
+ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
+ type httpd_bugzilla_htaccess_t;
+ ')
+
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_list_var_lib(httpd_bugzilla_script_t)
+
+ apache_list_sys_content($1)
+ admin_pattern($1, httpd_bugzilla_script_exec_t)
+ admin_pattern($1, httpd_bugzilla_script_t)
+ admin_pattern($1, httpd_bugzilla_content_t)
+ admin_pattern($1, httpd_bugzilla_htaccess_t)
+ admin_pattern($1, httpd_bugzilla_rw_content_t)
+ admin_pattern($1, httpd_bugzilla_ra_content_t)
+')
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644
index 0000000..5fa8122
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
@@ -0,0 +1,57 @@
+policy_module(bugzilla, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+########################################
+#
+# bugzilla local policy
+#
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mta_send_mail(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
index 0000000..24d9837
--- /dev/null
+++ b/policy/modules/services/cachefilesd.fc
@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
new file mode 100644
index 0000000..3b41945
--- /dev/null
+++ b/policy/modules/services/cachefilesd.if
@@ -0,0 +1,35 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## policy for cachefilesd
+
+########################################
+##
+## Execute a domain transition to run cachefilesd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cachefilesd_domtrans',`
+ gen_require(`
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
index 0000000..e7d2a5b
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
@@ -0,0 +1,145 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd, 1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 1d25efe..1b16191 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
-allow canna_t canna_log_t:dir setattr;
+allow canna_t canna_log_t:dir setattr_dir_perms;
logging_log_filetrans(canna_t, canna_log_t, { file dir })
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
index 6ee2cc8..3105b09 100644
--- a/policy/modules/services/ccs.if
+++ b/policy/modules/services/ccs.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ccs.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`ccs_domtrans',`
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4c90b57..af806c2 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -10,7 +10,7 @@ type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
type cluster_conf_t;
-files_type(cluster_conf_t)
+files_config_file(cluster_conf_t)
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
-allow ccs_t ccs_var_log_t:dir setattr;
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
@@ -118,5 +118,10 @@ optional_policy(`
')
optional_policy(`
+ qpidd_rw_semaphores(ccs_t)
+ qpidd_rw_shm(ccs_t)
+')
+
+optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index fa62787..ffd0da5 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run certmaster.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`certmaster_domtrans',`
@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
##
##
##
-## The role to be allowed to manage the syslog domain.
+## Role allowed access.
##
##
##
@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
- type certmaster_etc_rw_t, certmaster_var_log_t;
- type certmaster_initrc_exec_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
allow $1 certmaster_t:process { ptrace signal_perms };
@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
allow $2 system_r;
files_list_etc($1)
- miscfiles_manage_generic_cert_dirs($1)
- miscfiles_manage_generic_cert_files($1)
+ miscfiles_manage_generic_cert_dirs($1)
+ miscfiles_manage_generic_cert_files($1)
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 3384132..daef4e1 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
# pid file
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
# read meminfo
kernel_read_system_state(certmaster_t)
-corecmd_search_bin(certmaster_t)
-corecmd_getattr_bin_files(certmaster_t)
+corecmd_exec_bin(certmaster_t)
corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index 7a6e5ba..d664be8 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run certmonger.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`certmonger_domtrans',`
@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index c3e3f79..3e78d4e 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
# certmonger local policy
#
-allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
+dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+corecmd_exec_bin(certmonger_t)
+
corenet_tcp_sendrecv_generic_if(certmonger_t)
corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_tcp_sendrecv_all_ports(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+corenet_tcp_connect_http_port(certmonger_t)
dev_read_urand(certmonger_t)
@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
+auth_rw_cache(certmonger_t)
+
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
@@ -58,15 +64,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
+userdom_search_user_home_content(certmonger_t)
+
+optional_policy(`
+ apache_search_config(certmonger_t)
+')
+
+optional_policy(`
+ bind_search_cache(certmonger_t)
+')
+
optional_policy(`
dbus_system_bus_client(certmonger_t)
dbus_connect_system_bus(certmonger_t)
')
optional_policy(`
+ dirsrv_manage_config(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
optional_policy(`
+ pcscd_read_pub_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
index 420c9d3..b6bb46c 100644
--- a/policy/modules/services/cgroup.fc
+++ b/policy/modules/services/cgroup.fc
@@ -11,4 +11,5 @@
/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index d020c93..e5cbcef 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -6,9 +6,9 @@
## CG Clear.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`cgroup_domtrans_cgclear',`
@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
## CG config parser.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`cgroup_domtrans_cgconfig',`
@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
## CG rules engine daemon.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`cgroup_domtrans_cgred',`
@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
admin_pattern($1, cgconfig_etc_t)
admin_pattern($1, cgrules_etc_t)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, cgred_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
cgroup_initrc_domtrans_cgconfig($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 8ca2333..09a114b 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
type cgred_initrc_exec_t;
init_script_file(cgred_initrc_exec_t)
+type cgred_log_t;
+logging_log_file(cgred_log_t)
+
type cgred_var_run_t;
files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -36,8 +39,7 @@ files_config_file(cgconfig_etc_t)
#
# cgclear personal policy.
#
-
-allow cgclear_t self:capability sys_admin;
+allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
kernel_read_system_state(cgclear_t)
@@ -52,7 +54,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig personal policy.
#
-allow cgconfig_t self:capability { chown sys_admin };
+allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
@@ -67,18 +69,22 @@ fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
+fs_unmount_cgroup(cgconfig_t)
########################################
#
# cgred personal policy.
#
-allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
allow cgred_t cgrules_etc_t:file read_file_perms;
+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
+logging_log_filetrans(cgred_t, cgred_log_t, file)
+
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 9a0da94..2ede737 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+########################################
+##
+## Execute chronyd server in the chronyd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chronyd_initrc_domtrans',`
+ gen_require(`
+ type chronyd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
####################################
##
## Execute chronyd
@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+########################################
+##
+## Read and write chronyd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_rw_shm',`
+ gen_require(`
+ type chronyd_t, chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:shm rw_shm_perms;
+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read chronyd keys files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_read_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+##
+## Append chronyd keys files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
####################################
##
## All of the rules required to administrate
@@ -75,9 +151,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t;
')
allow $1 chronyd_t:process { ptrace signal_perms };
@@ -88,18 +164,17 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index fa82327..db20d26 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
type chronyd_keys_t;
files_type(chronyd_keys_t)
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:fifo_file rw_fifo_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+kernel_read_system_state(chronyd_t)
+
+corecmd_exec_shell(chronyd_t)
+
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
index e8e9a21..0af0260 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
@@ -10,6 +10,7 @@
/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 1f11572..7f6a7ab 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
type clamd_t, clamd_var_run_t;
')
+ files_search_pids($1)
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
')
@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
#
interface(`clamav_append_log',`
gen_require(`
- type clamav_log_t;
+ type clamav_var_log_t;
')
logging_search_logs($1)
- allow $1 clamav_log_t:dir list_dir_perms;
- append_files_pattern($1, clamav_log_t, clamav_log_t)
+ allow $1 clamav_var_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
')
########################################
@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
- type clamd_var_log_t, clamd_var_lib_t;
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
- type clamd_initrc_exec_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index f758323..28166c1 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
policy_module(clamav, 1.9.0)
##
-##
-## Allow clamd to use JIT compiler
-##
+##
+## Allow clamd to use JIT compiler
+##
##
gen_tunable(clamd_use_jit, false)
@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
+allow clamd_t self:process signal;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -110,6 +114,7 @@ corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
-cron_use_fds(clamd_t)
-cron_use_system_job_fds(clamd_t)
-cron_rw_pipes(clamd_t)
+optional_policy(`
+ cron_use_fds(clamd_t)
+ cron_use_system_job_fds(clamd_t)
+ cron_rw_pipes(clamd_t)
+')
-mta_read_config(clamd_t)
-mta_send_mail(clamd_t)
+optional_policy(`
+ mta_read_config(clamd_t)
+ mta_send_mail(clamd_t)
+')
optional_policy(`
amavis_read_lib_files(clamd_t)
@@ -147,8 +156,10 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
-', `
+ allow clamscan_t self:process execmem;
+',`
dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
')
########################################
@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
-allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
-optional_policy(`
- cron_system_entry(freshclam_t, freshclam_exec_t)
-')
+userdom_stream_connect(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
-', `
+',`
dontaudit freshclam_t self:process execmem;
')
+optional_policy(`
+ cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
########################################
#
# clamscam local policy
@@ -248,9 +268,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
@@ -264,7 +286,12 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
-mta_send_mail(clamscan_t)
+sysnet_read_config(clamscan_t)
+
+optional_policy(`
+ mta_send_mail(clamscan_t)
+ mta_read_queue(clamscan_t)
+')
optional_policy(`
amavis_read_spool_files(clamscan_t)
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index b40f3f7..3676ecc 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -38,7 +38,7 @@ files_read_etc_files(clockspeed_cli_t)
miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
index c0a66a4..e438c5f 100644
--- a/policy/modules/services/clogd.if
+++ b/policy/modules/services/clogd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run clogd.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`clogd_domtrans',`
diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
index 6077339..d10acd2 100644
--- a/policy/modules/services/clogd.te
+++ b/policy/modules/services/clogd.te
@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
allow clogd_t self:capability { net_admin mknod };
allow clogd_t self:process signal;
-
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
allow clogd_t self:netlink_socket create_socket_perms;
@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
# pid files
manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
+files_pid_filetrans(clogd_t, clogd_var_run_t, file)
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
new file mode 100644
index 0000000..e500fa5
--- /dev/null
+++ b/policy/modules/services/cmirrord.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
new file mode 100644
index 0000000..756ac91
--- /dev/null
+++ b/policy/modules/services/cmirrord.if
@@ -0,0 +1,113 @@
+## policy for cmirrord
+
+########################################
+##
+## Execute a domain transition to run cmirrord.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cmirrord_domtrans',`
+ gen_require(`
+ type cmirrord_t, cmirrord_exec_t;
+ ')
+
+ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
+')
+
+########################################
+##
+## Execute cmirrord server in the cmirrord domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_initrc_domtrans',`
+ gen_require(`
+ type cmirrord_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
+')
+
+########################################
+##
+## Read cmirrord PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_read_pid_files',`
+ gen_require(`
+ type cmirrord_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cmirrord_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Read and write to cmirrord shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_rw_shm',`
+ gen_require(`
+ type cmirrord_t, cmirrord_tmpfs_t;
+ ')
+
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cmirrord environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`cmirrord_admin',`
+ gen_require(`
+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
+
+ allow $1 cmirrord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cmirrord_t)
+
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, cmirrord_var_run_t)
+')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644
index 0000000..28fdd8a
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
@@ -0,0 +1,58 @@
+policy_module(cmirrord, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cmirrord_t;
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
+type cmirrord_tmpfs_t;
+files_tmpfs_file(cmirrord_tmpfs_t)
+
+type cmirrord_var_run_t;
+files_pid_file(cmirrord_var_run_t)
+
+########################################
+#
+# cmirrord local policy
+#
+
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process { setfscreate signal};
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+
+domain_use_interactive_fds(cmirrord_t)
+domain_obj_id_change_exemption(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
+storage_create_fixed_disk_dev(cmirrord_t)
+
+seutil_read_file_contexts(cmirrord_t)
+
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e..e4bac67 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
@@ -1,7 +1,33 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
+
+# This should removable when cobbler package installs /var/www/cobbler/rendered
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 293e08d..82306eb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
## Cobbler installation server.
##
##
-## Cobbler is a Linux installation server that allows for
-## rapid setup of network installation environments. It
-## glues together and automates many associated Linux
-## tasks so you do not have to hop between lots of various
-## commands and applications when rolling out new systems,
-## and, in some cases, changing existing ones.
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
##
##
@@ -15,9 +15,9 @@
## Execute a domain transition to run cobblerd.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`cobblerd_domtrans',`
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ corecmd_search_bin($1)
')
########################################
@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
########################################
##
-## Read Cobbler content in /etc
+## List Cobbler configuration.
##
##
##
@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
##
##
#
-interface(`cobbler_read_config',`
+interface(`cobbler_list_config',`
gen_require(`
type cobbler_etc_t;
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
')
########################################
##
-## Do not audit attempts to read and write
-## Cobbler log files (leaked fd).
+## Read Cobbler configuration files.
##
##
##
@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
##
##
#
-interface(`cobbler_dontaudit_rw_log',`
+interface(`cobbler_read_config',`
gen_require(`
- type cobbler_var_log_t;
+ type cobbler_etc_t;
')
- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
')
########################################
@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
')
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
')
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
##
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
## All of the rules required to administrate
## an cobblerd environment
##
@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cobblerd_t, cobblerd_t)
+ allow $1 cobblerd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cobblerd_t)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, cobbler_etc_t)
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, cobbler_var_log_t)
+ apache_list_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
admin_pattern($1, httpd_cobbler_content_rw_t)
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
allow $2 system_r;
+
+ optional_policy(`
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+ tftp_search_rw_content($1)
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 0258b48..8fde016 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
#
##
-##
-## Allow Cobbler to modify public files
-## used for public file transfer services.
-##
+##
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+##
##
gen_tunable(cobbler_anon_write, false)
+##
+##
+## Allow Cobbler to connect to the
+## network using TCP.
+##
+##
+gen_tunable(cobbler_can_network_connect, false)
+
+##
+##
+## Allow Cobbler to access cifs file systems.
+##
+##
+gen_tunable(cobbler_use_cifs, false)
+
+##
+##
+## Allow Cobbler to access nfs file systems.
+##
+##
+gen_tunable(cobbler_use_nfs, false)
+
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
-type cobbler_var_lib_t;
+type cobbler_var_lib_t alias cobbler_content_t;
files_type(cobbler_var_lib_t)
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
########################################
#
# Cobbler personal policy.
#
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
+
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+allow cobblerd_t self:udp_socket create_socket_perms;
+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
+
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
+
+# Something really needs to write to cobbler.log. Ideally this should not be happening.
+allow cobblerd_t cobbler_var_log_t:file write;
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
+corenet_tcp_sendrecv_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
dev_read_urand(cobblerd_t)
+domain_dontaudit_exec_all_entry_files(cobblerd_t)
+domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+# mtab
+files_read_etc_runtime_files(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
+files_read_boot_files(cobblerd_t)
files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
+
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
+selinux_dontaudit_read_fs(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
+userdom_dontaudit_use_user_terminals(cobblerd_t)
+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
+userdom_dontaudit_search_admin_dir(cobblerd_t)
+
tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
+tunable_policy(`cobbler_can_network_connect',`
+ corenet_tcp_connect_all_ports(cobblerd_t)
+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
+ corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
+ fs_manage_cifs_dirs(cobblerd_t)
+ fs_manage_cifs_files(cobblerd_t)
+ fs_manage_cifs_symlinks(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_nfs',`
+ fs_manage_nfs_dirs(cobblerd_t)
+ fs_manage_nfs_files(cobblerd_t)
+ fs_manage_nfs_symlinks(cobblerd_t)
+')
+
+optional_policy(`
+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
+ apache_search_sys_content(cobblerd_t)
+')
+
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
@@ -95,6 +186,10 @@ optional_policy(`
')
optional_policy(`
+ certmaster_exec(cobblerd_t)
+')
+
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
@@ -106,16 +201,28 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
rpm_exec(cobblerd_t)
')
optional_policy(`
- rsync_read_config(cobblerd_t)
- rsync_write_config(cobblerd_t)
+ rsync_exec(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
+ # cobbler creates /etc/rsync.conf if its not there.
+ rsync_filetrans_config(cobblerd_t, file)
')
optional_policy(`
- tftp_manage_rw_content(cobblerd_t)
+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
+ # 1. cobbler package installs /var/lib/tftpdir/images.
+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
########################################
@@ -124,5 +231,6 @@ optional_policy(`
#
apache_content_template(cobbler)
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
new file mode 100644
index 0000000..0a83e88
--- /dev/null
+++ b/policy/modules/services/colord.fc
@@ -0,0 +1,5 @@
+
+/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+
+/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
new file mode 100644
index 0000000..939d76e
--- /dev/null
+++ b/policy/modules/services/colord.if
@@ -0,0 +1,60 @@
+
+## policy for colord
+
+########################################
+##
+## Execute a domain transition to run colord.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`colord_domtrans',`
+ gen_require(`
+ type colord_t, colord_exec_t;
+ ')
+
+ domtrans_pattern($1, colord_exec_t, colord_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## colord over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`colord_dbus_chat',`
+ gen_require(`
+ type colord_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 colord_t:dbus send_msg;
+ allow colord_t $1:dbus send_msg;
+')
+
+######################################
+##
+## Read colord lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`colord_read_lib_files',`
+ gen_require(`
+ type colord_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
index 0000000..36d4c6d
--- /dev/null
+++ b/policy/modules/services/colord.te
@@ -0,0 +1,76 @@
+policy_module(colord,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type colord_t;
+type colord_exec_t;
+dbus_system_domain(colord_t, colord_exec_t)
+
+type colord_var_lib_t;
+files_type(colord_var_lib_t)
+
+type colord_tmp_t;
+files_tmp_file(colord_tmp_t)
+
+########################################
+#
+# colord local policy
+#
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
+
+manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+kernel_read_device_sysctls(colord_t)
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
+corenet_tcp_connect_ipp_port(colord_t)
+
+dev_read_raw_memory(colord_t)
+dev_write_raw_memory(colord_t)
+dev_read_video_dev(colord_t)
+dev_write_video_dev(colord_t)
+dev_read_rand(colord_t)
+dev_read_sysfs(colord_t)
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_read_generic_usb_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
+domain_use_interactive_fds(colord_t)
+
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
+miscfiles_read_localization(colord_t)
+
+sysnet_dns_name_resolve(colord_t)
+
+optional_policy(`
+ cups_read_rw_config(colord_t)
+ cups_stream_connect(colord_t)
+ cups_dbus_chat(colord_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
+ policykit_read_reload(colord_t)
+')
+
+optional_policy(`
+ udev_read_db(colord_t)
+')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index fd15dfe..ad224fa 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run consolekit.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`consolekit_domtrans',`
@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
########################################
##
+## dontaudit Send and receive messages from
+## consolekit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## consolekit over dbus.
##
@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
########################################
##
+## Dontaudit attempts to read consolekit log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+##
## Read consolekit log files.
##
##
@@ -96,3 +135,22 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+##
+## List consolekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index e67a003..894d4e0 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
########################################
#
# consolekit local policy
@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-hal_ptrace(consolekit_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
')
@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
+')
+
+optional_policy(`
+ hal_ptrace(consolekit_t)
+')
+
+optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
@@ -99,6 +111,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
@@ -106,9 +122,10 @@ optional_policy(`
')
optional_policy(`
- type consolekit_tmpfs_t;
- files_tmpfs_file(consolekit_tmpfs_t)
+ shutdown_domtrans(consolekit_t)
+')
+optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
@@ -125,5 +142,6 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
index 3a6d7eb..2098ee9 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -3,6 +3,7 @@
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index 5220c9d..a2e6830 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
domtrans_pattern($1, corosync_exec_t, corosync_t)
')
+######################################
+##
+## Execute corosync in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_exec',`
+ gen_require(`
+ type corosync_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, corosync_exec_t)
+')
+
#######################################
##
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 7d2cf85..92b621a 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
+can_exec(corosync_t, corosync_exec_t)
+
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
@@ -63,8 +65,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
+kernel_read_net_sysctls(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
@@ -73,6 +78,7 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -83,19 +89,37 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
+
+optional_policy(`
ccs_read_config(corosync_t)
')
optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
- rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
+ drbd_domtrans(corosync_t)
+')
+
+optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
')
optional_policy(`
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 9971337..f081899 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -138,6 +138,7 @@ interface(`courier_read_config',`
type courier_etc_t;
')
+ files_search_etc($1)
read_files_pattern($1, courier_etc_t, courier_etc_t)
')
@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
+ files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
+ files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
+ files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 2802dbb..5d323df 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
miscfiles_read_localization(courier_pop_t)
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index 13d2f63..a048c53 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
init_system_domain(cpucontrol_t, cpucontrol_exec_t)
type cpucontrol_conf_t;
-files_type(cpucontrol_conf_t)
+files_config_file(cpucontrol_conf_t)
type cpuspeed_t;
type cpuspeed_exec_t;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..6030f34 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -14,9 +14,10 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
@@ -45,3 +46,7 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 35241ed..b6c4cc9 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
##
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t, crontab_exec_t;
+ type cron_spool_t, user_cron_spool_t;
+ ')
+
##############################
#
# Declarations
@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',`
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
@@ -43,7 +52,7 @@ template(`cron_common_crontab_template',`
files_list_spool($1_t)
# crontab signals crond by updating the mtime on the spooldir
- allow $1_t cron_spool_t:dir setattr;
+ allow $1_t cron_spool_t:dir setattr_dir_perms;
kernel_read_system_state($1_t)
@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
@@ -73,9 +83,10 @@ template(`cron_common_crontab_template',`
userdom_manage_user_tmp_dirs($1_t)
userdom_manage_user_tmp_files($1_t)
# Access terminals.
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
+ userdom_read_user_home_content_symlinks($1_t)
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
@@ -102,10 +113,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
##
##
+##
#
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t, crond_t;
')
role $1 types { cronjob_t crontab_t };
@@ -116,9 +129,16 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
+ allow crond_t $2:process transition;
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
+ allow $2 crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
@@ -132,9 +152,8 @@ interface(`cron_role',`
')
dbus_stub(cronjob_t)
-
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
@@ -151,29 +170,18 @@ interface(`cron_role',`
## User domain for the role
##
##
+##
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
optional_policy(`
gen_require(`
@@ -181,9 +189,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
-
allow unconfined_cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
@@ -200,6 +207,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
##
##
+##
#
interface(`cron_admin_role',`
gen_require(`
@@ -220,7 +228,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
+ allow $2 admin_crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
@@ -234,9 +242,8 @@ interface(`cron_admin_role',`
')
dbus_stub(admin_cronjob_t)
-
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
@@ -304,7 +311,7 @@ interface(`cron_exec',`
########################################
##
-## Execute crond server in the nscd domain.
+## Execute crond server in the crond domain.
##
##
##
@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
- allow $1 crond_t:fifo_file { getattr read write };
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write inherited user spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+ type user_cron_spool_t;
+ ')
+
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Read and write inherited spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
########################################
@@ -481,6 +524,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
+ files_search_pids($1)
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
@@ -536,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:file write;
+ allow $1 system_cronjob_t:fifo_file write;
')
########################################
@@ -554,7 +598,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -587,11 +631,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -627,7 +674,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f7583ab..9941737 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
#
##
-##
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-##
+##
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+##
##
gen_tunable(cron_can_relabel, false)
##
-##
-## Enable extra rules in the cron domain
-## to support fcron.
-##
+##
+## Enable extra rules in the cron domain
+## to support fcron.
+##
##
gen_tunable(fcron_crond, false)
@@ -38,7 +38,7 @@ type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
-files_type(cron_var_run_t)
+files_pid_file(cron_var_run_t)
# var/log files
type cron_log_t;
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
+mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
########################################
#
@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t)
#
# Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -187,12 +200,16 @@ fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
+auth_read_var_auth(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
+corecmd_exec_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
@@ -203,11 +220,16 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
')
')
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
+')
+
+optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
+optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -264,6 +307,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -289,12 +334,18 @@ optional_policy(`
udev_read_db(crond_t)
')
+optional_policy(`
+ vnstatd_search_lib(crond_t)
+')
+
########################################
#
# System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+dontaudit system_cronjob_t self:capability sys_ptrace;
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+mls_file_read_to_clearance(system_cronjob_t)
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
@@ -439,6 +508,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
')
optional_policy(`
@@ -446,6 +517,14 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -456,15 +535,24 @@ optional_policy(`
')
optional_policy(`
+ livecd_read_tmp_files(system_cronjob_t)
+')
+
+optional_policy(`
lpd_list_spool(system_cronjob_t)
')
optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -480,7 +568,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
@@ -495,6 +583,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -502,7 +591,13 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index 1b492ed..76480c2 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -56,6 +56,7 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
@@ -64,10 +65,16 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 305ddf4..777091a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
@@ -314,11 +316,10 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
- type cupsd_var_run_t, ptal_etc_t;
- type ptal_var_run_t, hplip_var_run_t;
- type cupsd_initrc_exec_t;
+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
+ type ptal_var_run_t;
')
allow $1 cupsd_t:process { ptrace signal_perms };
@@ -341,15 +342,14 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
- admin_pattern($1, cupsd_spool_t)
- files_list_spool($1)
-
admin_pattern($1, cupsd_tmp_t)
files_list_tmp($1)
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
+ admin_pattern($1, hplip_etc_t)
+
admin_pattern($1, hplip_var_run_t)
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 0f28095..1c96265 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
allow cupsd_t hplip_t:process { signal sigkill };
@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
-# Write to /var/spool/cups.
-lpd_manage_spool(cupsd_t)
-lpd_read_config(cupsd_t)
-lpd_exec_lpr(cupsd_t)
-lpd_relabel_spool(cupsd_t)
-
optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -297,8 +295,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -315,6 +315,14 @@ optional_policy(`
')
optional_policy(`
+ # Write to /var/spool/cups.
+ lpd_manage_spool(cupsd_t)
+ lpd_read_config(cupsd_t)
+ lpd_exec_lpr(cupsd_t)
+ lpd_relabel_spool(cupsd_t)
+')
+
+optional_policy(`
mta_send_mail(cupsd_t)
')
@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
-lpd_read_config(cupsd_config_t)
-
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
@@ -453,6 +461,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
@@ -467,6 +479,10 @@ optional_policy(`
')
optional_policy(`
+ lpd_read_config(cupsd_config_t)
+')
+
+optional_policy(`
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
-lpd_manage_spool(cups_pdf_t)
-
+optional_policy(`
+ lpd_manage_spool(cups_pdf_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
+
########################################
#
# HPLIP local policy
@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
logging_send_syslog_msg(hplip_t)
@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
-lpd_read_config(hplip_t)
-lpd_manage_spool(hplip_t)
+optional_policy(`
+ lpd_read_config(hplip_t)
+ lpd_manage_spool(hplip_t)
+')
optional_policy(`
dbus_system_bus_client(hplip_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index c43ff4c..a9783e3 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -1,5 +1,23 @@
## Concurrent versions system
+######################################
+##
+## Dontaudit Attempts to list the CVS data and metadata.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cvs_dontaudit_list_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
########################################
##
## Read the CVS data and metadata.
@@ -58,9 +76,8 @@ interface(`cvs_exec',`
#
interface(`cvs_admin',`
gen_require(`
- type cvs_t, cvs_tmp_t;
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t;
- type cvs_initrc_exec_t;
')
allow $1 cvs_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 88e7e97..e18dc0b 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
#
##
-##
-## Allow cvs daemon to read shadow
-##
+##
+## Allow cvs daemon to read shadow
+##
##
gen_tunable(allow_cvs_read_shadow, false)
@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
# Local policy
#
+allow cvs_t self:capability { setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -112,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if
index 9d44538..7e9057e 100644
--- a/policy/modules/services/cyphesis.if
+++ b/policy/modules/services/cyphesis.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run cyphesis.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`cyphesis_domtrans',`
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index e182bf4..aab657c 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -119,6 +119,10 @@ optional_policy(`
')
optional_policy(`
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
kerberos_keytab_template(cyrus, cyrus_t)
')
@@ -135,6 +139,7 @@ optional_policy(`
')
optional_policy(`
+ files_dontaudit_write_usr_dirs(cyrus_t)
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index a8b93c0..831ce70 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -10,7 +10,7 @@ type dante_exec_t;
init_daemon_domain(dante_t, dante_exec_t)
type dante_conf_t;
-files_type(dante_conf_t)
+files_config_file(dante_conf_t)
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 0d5711c..85a1dc0 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
-
- attribute session_bus_type;
+ attribute dbusd_unconfined, session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -52,8 +52,7 @@ template(`dbus_role_template',`
#
type $1_dbusd_t, session_bus_type;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ application_domain($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
@@ -62,8 +61,9 @@ template(`dbus_role_template',`
# Local policy
#
+ dontaudit $1_dbusd_t self:capability sys_resource;
allow $1_dbusd_t self:process { getattr sigkill signal };
- dontaudit $1_dbusd_t self:process ptrace;
+ dontaudit $1_dbusd_t self:process { ptrace setrlimit };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
@@ -76,7 +76,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -88,14 +88,16 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+ ps_process_pattern($3, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { ptrace signal_perms };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_dbusd_t:process sigchld;
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
@@ -116,7 +118,7 @@ template(`dbus_role_template',`
dev_read_urand($1_dbusd_t)
- domain_use_interactive_fds($1_dbusd_t)
+ domain_use_interactive_fds($1_dbusd_t)
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
@@ -147,19 +149,27 @@ template(`dbus_role_template',`
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
- term_use_all_terms($1_dbusd_t)
+ term_use_all_inherited_terms($1_dbusd_t)
- userdom_read_user_home_content_files($1_dbusd_t)
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
+ userdom_manage_user_home_content_dirs($1_dbusd_t)
+ userdom_manage_user_home_content_files($1_dbusd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
- ifdef(`hide_broken_symptoms', `
+ ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
optional_policy(`
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
optional_policy(`
+ xserver_search_xdm_lib($1_dbusd_t)
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',`
#######################################
##
+## Creating connections to specified
+## DBUS sessions.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_session_client',`
+ gen_require(`
+ class dbus send_msg;
+ type $1_dbusd_t;
+ ')
+
+ allow $2 $1_dbusd_t:fd use;
+ allow $2 { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+#######################################
+##
## Template for creating connections to
## a user DBUS.
##
@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
+
+ allow session_bus_type $1:process sigkill;
')
########################################
@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
+ fs_search_all($1)
+
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
+ init_stream_connect($1)
+ init_dgram_send($1)
+
ps_process_pattern(system_dbusd_t, $1)
+ userdom_dontaudit_search_admin_dir($1)
userdom_read_all_users_state($1)
- ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_send($1)
+ ')
+
+ ifdef(`hide_broken_symptoms',`
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
+
+########################################
+##
+## Delete all dbus pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 86d09b4..8e05351 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+init_sock_file(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -141,10 +147,18 @@ optional_policy(`
')
optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
cpufreqselector_dbus_chat(system_dbusd_t)
')
optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
@@ -162,5 +176,12 @@ optional_policy(`
#
# Unconfined access to this module
#
-
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+optional_policy(`
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 784753e..bf65e7d 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
- files_search_var($1)
+ files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index ec19ff4..2f84017 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -36,7 +36,7 @@ type dcc_var_t;
files_type(dcc_var_t)
type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
type dccd_t;
type dccd_exec_t;
@@ -110,7 +110,7 @@ logging_send_syslog_msg(cdcc_t)
miscfiles_read_localization(cdcc_t)
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
########################################
#
@@ -152,7 +152,7 @@ logging_send_syslog_msg(dcc_client_t)
miscfiles_read_localization(dcc_client_t)
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
optional_policy(`
amavis_read_spool_files(dcc_client_t)
@@ -197,7 +197,7 @@ logging_send_syslog_msg(dcc_dbclean_t)
miscfiles_read_localization(dcc_dbclean_t)
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
########################################
#
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
index 0a1a61b..da508f4 100644
--- a/policy/modules/services/ddclient.if
+++ b/policy/modules/services/ddclient.if
@@ -64,8 +64,8 @@ interface(`ddclient_run',`
interface(`ddclient_admin',`
gen_require(`
type ddclient_t, ddclient_etc_t, ddclient_log_t;
- type ddclient_var_t, ddclient_var_lib_t;
- type ddclient_var_run_t, ddclient_initrc_exec_t;
+ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
+ type ddclient_var_run_t;
')
allow $1 ddclient_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 24ba98a..b8d064a 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
type ddclient_log_t;
logging_log_file(ddclient_log_t)
+type ddclient_tmp_t;
+files_tmp_file(ddclient_tmp_t)
+
type ddclient_var_t;
files_type(ddclient_var_t)
@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
-allow ddclient_t ddclient_etc_t:file read_file_perms;
+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
allow ddclient_t ddclient_log_t:file manage_file_perms;
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
+
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t)
kernel_getattr_core_if(ddclient_t)
kernel_getattr_message_if(ddclient_t)
kernel_read_kernel_sysctls(ddclient_t)
+kernel_search_network_sysctl(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
+mta_send_mail(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
miscfiles_read_localization(ddclient_t)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
index 567865f..9c9e65c 100644
--- a/policy/modules/services/denyhosts.if
+++ b/policy/modules/services/denyhosts.if
@@ -13,12 +13,12 @@
## Execute a domain transition to run denyhosts.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
-interface(`denyhosts_domtrans', `
+interface(`denyhosts_domtrans',`
gen_require(`
type denyhosts_t, denyhosts_exec_t;
')
@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
##
##
#
-interface(`denyhosts_initrc_domtrans', `
+interface(`denyhosts_initrc_domtrans',`
gen_require(`
type denyhosts_initrc_exec_t;
')
@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
## Role allowed access.
##
##
+##
#
-interface(`denyhosts_admin', `
+interface(`denyhosts_admin',`
gen_require(`
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
- files_search_locks($1)
+ files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index 8ba9425..b10da2c 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
#
# DenyHosts personal policy.
#
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
corenet_sendrecv_smtp_client_packets(denyhosts_t)
dev_read_urand(denyhosts_t)
files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
+logging_send_syslog_msg(denyhosts_t)
miscfiles_read_localization(denyhosts_t)
+sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
index 418a5a0..28d9e41 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
@@ -8,7 +8,12 @@
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
+/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
+
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index f706b99..22b862e 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run devicekit.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`devicekit_domtrans',`
@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
+#######################################
+##
+## Do not audit attempts to write the devicekit
+## log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`devicekit_dontaudit_rw_log',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Allow the domain to read devicekit_power state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_read_state_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, devicekit_power_t)
+')
+
########################################
##
## Read devicekit PID files.
@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
########################################
##
-## All of the rules required to administrate
-## an devicekit environment
+## Do not audit attempts to read
+## devicekit PID files.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
-##
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+##
+## Manage devicekit PID files.
+##
+##
##
-## The role to be allowed to manage the devicekit domain.
+## Domain allowed access.
##
##
-##
+#
+interface(`devicekit_manage_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
##
-## The type of the user terminal.
+## Domain allowed access.
##
##
##
@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
- allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ allow $1 devicekit_t:process { ptrace signal_perms };
ps_process_pattern($1, devicekit_t)
- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+ allow $1 devicekit_disk_t:process { ptrace signal_perms };
ps_process_pattern($1, devicekit_disk_t)
- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+ allow $1 devicekit_power_t:process { ptrace signal_perms };
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, devicekit_var_lib_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, devicekit_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..bf57734 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
+type devicekit_var_log_t;
+logging_log_file(devicekit_var_log_t)
+
########################################
#
# DeviceKit local policy
@@ -75,10 +78,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+kernel_list_unlabeled(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
-files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_dirs(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
+files_getattr_all_pipes(devicekit_disk_t)
+files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
+fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
@@ -127,7 +135,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
@@ -178,33 +186,53 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+#optional_policy(`
+# unconfined_domain(devicekit_t)
+# unconfined_domain(devicekit_power_t)
+# unconfined_domain(devicekit_disk_t)
+#')
+
########################################
#
# DeviceKit-Power local policy
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
+
+kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-consoletype_exec(devicekit_power_t)
-
domain_read_all_domains_state(devicekit_power_t)
dev_read_input(devicekit_power_t)
@@ -212,21 +240,28 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
+dev_getattr_all_chr_files(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
+files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
+seutil_exec_setfiles(devicekit_power_t)
+
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
@@ -235,6 +270,10 @@ optional_policy(`
')
optional_policy(`
+ consoletype_exec(devicekit_power_t)
+')
+
+optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
')
@@ -261,14 +300,21 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_home_config(devicekit_power_t)
+')
+
+optional_policy(`
hal_domtrans_mac(devicekit_power_t)
- hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
hal_dbus_chat(devicekit_power_t)
')
optional_policy(`
+ networkmanager_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
@@ -276,9 +322,25 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(devicekit_power_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ readahead_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
')
optional_policy(`
+ usbmuxd_stream_connect(devicekit_power_t)
+')
+
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 767e0c7..7956248 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
@@ -1,8 +1,8 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 5e2cea8..7e129ff 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
')
sysnet_search_dhcp_state($1)
- allow $1 dhcpd_state_t:file setattr;
+ allow $1 dhcpd_state_t:file setattr_file_perms;
')
########################################
@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..2e09383 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
@@ -111,6 +113,10 @@ optional_policy(`
')
optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
index 0000000..2ce40a0
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.fc
@@ -0,0 +1,11 @@
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
index 0000000..60c81d6
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.if
@@ -0,0 +1,95 @@
+## Administration Server for Directory Server, dirsrv-admin.
+
+########################################
+##
+## Exec dirsrv-admin programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_run_exec',`
+ gen_require(`
+ type dirsrvadmin_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+##
+## Exec cgi programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_run_httpd_script_exec',`
+ gen_require(`
+ type httpd_dirsrvadmin_script_exec_t;
+ ')
+
+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_read_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+##
+## Manage dirsrv-adminserver configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_manage_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+########################################
+##
+## Manage dirsrv-adminserver tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrvadmin_manage_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
index 0000000..b7fc006
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
@@ -0,0 +1,100 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+########################################
+#
+# Local policy for the daemon
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+miscfiles_read_localization(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+ apache_domtrans(dirsrvadmin_t)
+ apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+ apache_content_template(dirsrvadmin)
+
+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
+
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
+
+ files_search_var_lib(httpd_dirsrvadmin_script_t)
+
+ sysnet_read_config(httpd_dirsrvadmin_script_t)
+
+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+ dirsrv_signal(httpd_dirsrvadmin_script_t)
+ dirsrv_signull(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
+')
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
index 0000000..3aae725
--- /dev/null
+++ b/policy/modules/services/dirsrv.fc
@@ -0,0 +1,20 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
new file mode 100644
index 0000000..9d8f5de
--- /dev/null
+++ b/policy/modules/services/dirsrv.if
@@ -0,0 +1,212 @@
+## policy for dirsrv
+
+########################################
+##
+## Execute a domain transition to run dirsrv.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dirsrv_domtrans',`
+ gen_require(`
+ type dirsrv_t, dirsrv_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit dirsrv_t $1:socket_class_set { read write };
+ ')
+')
+
+
+########################################
+##
+## Allow caller to signal dirsrv.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_signal',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+##
+## Send a null signal to dirsrv.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_signull',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_log',`
+ gen_require(`
+ type dirsrv_var_log_t;
+ ')
+
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv /var/lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_var_lib',`
+ gen_require(`
+ type dirsrv_var_lib_t;
+ ')
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+##
+## Connect to dirsrv over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_stream_connect',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+##
+## Allow a domain to manage dirsrv /var/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+##
+## Allow a domain to create dirsrv pid directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_pid_filetrans',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+##
+## Allow a domain to read dirsrv /var/run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_read_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
+ allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage dirsrv configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_manage_config',`
+ gen_require(`
+ type dirsrv_config_t;
+ ')
+
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
+ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+##
+## Read dirsrv share files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dirsrv_read_share',`
+ gen_require(`
+ type dirsrv_share_t;
+ ')
+
+ allow $1 dirsrv_share_t:dir list_dir_perms;
+ allow $1 dirsrv_share_t:file read_file_perms;
+ allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
index 0000000..24f776b
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
@@ -0,0 +1,178 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
+allow dirsrv_t self:fifo_file rw_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrv_t)
+
+corecmd_search_sbin(dirsrv_t)
+
+corenet_all_recvfrom_unlabeled(dirsrv_t)
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_urand(dirsrv_t)
+
+files_read_etc_files(dirsrv_t)
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+miscfiles_read_localization(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+optional_policy(`
+ apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+')
+
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+files_read_etc_files(dirsrv_snmp_t)
+files_read_usr_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+miscfiles_read_localization(dirsrv_snmp_t)
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 03b5286..fcafa0b 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -23,9 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
# Local policy for axfrdns component
#
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
files_search_var(djbdns_axfrdns_t)
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
########################################
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index dc1056c..bd60100 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -7,3 +7,5 @@
/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index b886676..ad3210e 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -6,7 +6,7 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 9bd812b..c808b31 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`dnsmasq_read_config',`
@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`dnsmasq_write_config',`
@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
##
##
#
-#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeeba..df87ba8 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
+sysnet_dns_name_resolve(dnsmasq_t)
+
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -96,7 +99,16 @@ optional_policy(`
')
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dnsmasq_t)
+ dbus_connect_system_bus(dnsmasq_t)
+')
+
+optional_policy(`
+ ppp_read_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -114,4 +126,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b..9a1dcba 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5..673f185 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -1,5 +1,24 @@
## Dovecot POP and IMAP mail server
+#######################################
+##
+## Connect to dovecot unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dovecot_stream_connect',`
+ gen_require(`
+ type dovecot_t, dovecot_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+')
+
########################################
##
## Connect to dovecot auth unix domain stream socket.
@@ -9,13 +28,13 @@
## Domain allowed access.
##
##
-##
#
interface(`dovecot_stream_connect_auth',`
gen_require(`
type dovecot_auth_t, dovecot_var_run_t;
')
+ files_search_pids($1)
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
@@ -52,6 +71,7 @@ interface(`dovecot_manage_spool',`
type dovecot_spool_t;
')
+ files_search_spool($1)
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
- type dovecot_t, dovecot_etc_t, dovecot_log_t;
- type dovecot_spool_t, dovecot_var_lib_t;
- type dovecot_var_run_t;
-
- type dovecot_cert_t, dovecot_passwd_t;
- type dovecot_initrc_exec_t;
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
@@ -112,8 +130,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
- logging_list_logs($1)
- admin_pattern($1, dovecot_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
@@ -121,6 +142,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index cbe14e4..778b174 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
-files_type(dovecot_cert_t)
+miscfiles_cert_type(dovecot_cert_t)
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
+type dovecot_deliver_tmp_t;
+files_tmp_file(dovecot_deliver_tmp_t)
+
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
@@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t)
# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -72,7 +75,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-allow dovecot_t dovecot_etc_t:file read_file_perms;
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
@@ -110,6 +116,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
+corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
@@ -159,6 +167,15 @@ optional_policy(`
')
optional_policy(`
+ gnome_manage_data(dovecot_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
+')
+
+optional_policy(`
postgresql_stream_connect(dovecot_t)
')
@@ -179,7 +196,7 @@ optional_policy(`
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
@@ -189,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -235,6 +255,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
+ mysql_read_config(dovecot_auth_t)
+ mysql_tcp_connect(dovecot_auth_t)
')
optional_policy(`
@@ -242,6 +264,8 @@ optional_policy(`
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_rw_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
')
@@ -249,23 +273,40 @@ optional_policy(`
#
# dovecot deliver local policy
#
+
+allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
+corecmd_exec_bin(dovecot_deliver_t)
+
files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
-logging_search_logs(dovecot_auth_t)
+logging_append_all_logs(dovecot_deliver_t)
miscfiles_read_localization(dovecot_deliver_t)
@@ -301,5 +342,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_manage_data(dovecot_deliver_t)
+')
+
+optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
+')
+
+optional_policy(`
+ # Handle sieve scripts
+ sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc
new file mode 100644
index 0000000..f96c4f2
--- /dev/null
+++ b/policy/modules/services/drbd.fc
@@ -0,0 +1,9 @@
+
+/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
+
+
diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if
new file mode 100644
index 0000000..63f11d9
--- /dev/null
+++ b/policy/modules/services/drbd.if
@@ -0,0 +1,130 @@
+
+## policy for drbd
+
+########################################
+##
+## Execute a domain transition to run drbd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_domtrans',`
+ gen_require(`
+ type drbd_t, drbd_exec_t;
+ ')
+
+ domtrans_pattern($1, drbd_exec_t, drbd_t)
+')
+
+########################################
+##
+## Search drbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_search_lib',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read drbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_read_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## drbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_manage_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+##
+## Manage drbd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`drbd_manage_lib_dirs',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an drbd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`drbd_admin',`
+ gen_require(`
+ type drbd_t;
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, drbd_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, drbd_var_lib_t)
+
+')
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
index 0000000..1453c54
--- /dev/null
+++ b/policy/modules/services/drbd.te
@@ -0,0 +1,55 @@
+
+policy_module(drbd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type drbd_t;
+type drbd_exec_t;
+init_daemon_domain(drbd_t, drbd_exec_t)
+
+type drbd_var_lib_t;
+files_type(drbd_var_lib_t)
+
+type drbd_lock_t;
+files_lock_file(drbd_lock_t)
+
+########################################
+#
+# drbd local policy
+#
+
+allow drbd_t self:capability net_admin;
+
+allow drbd_t self:capability { kill };
+allow drbd_t self:process { fork };
+
+allow drbd_t self:fifo_file rw_fifo_file_perms;
+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
+allow drbd_t self:netlink_socket create_socket_perms;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } )
+
+manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
+files_lock_filetrans(drbd_t, drbd_lock_t, file)
+
+can_exec(drbd_t, drbd_exec_t)
+
+kernel_read_system_state(drbd_t)
+
+dev_read_sysfs(drbd_t)
+
+files_read_etc_files(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
+
+miscfiles_read_localization(drbd_t)
+
+sysnet_dns_name_resolve(drbd_t)
+
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f066..c2570df 100644
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 6bef7f8..464669c 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run exim.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`exim_domtrans',`
@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
########################################
##
+## Execute exim in the exim domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`exim_initrc_domtrans',`
+ gen_require(`
+ type exim_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
+')
+
+########################################
+##
## Do not audit attempts to read,
## exim tmp files
##
@@ -101,9 +119,9 @@ interface(`exim_read_log',`
## exim log files.
##
##
-##
+##
## Domain allowed access.
-##
+##
##
#
interface(`exim_append_log',`
@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an exim environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`exim_admin',`
+ gen_require(`
+ type exim_t, exim_initrc_exec_t, exim_log_t;
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms };
+ ps_process_pattern($1, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, exim_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, exim_tmp_t)
+
+ files_list_spool($1)
+ admin_pattern($1, exim_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index f28f64b..18c3c33 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
#
##
-##
-## Allow exim to connect to databases (postgres, mysql)
-##
+##
+## Allow exim to connect to databases (postgres, mysql)
+##
##
gen_tunable(exim_can_connect_db, false)
##
-##
-## Allow exim to read unprivileged user files.
-##
+##
+## Allow exim to read unprivileged user files.
+##
##
gen_tunable(exim_read_user_files, false)
##
-##
-## Allow exim to create, read, write, and delete
-## unprivileged user files.
-##
+##
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+##
##
gen_tunable(exim_manage_user_files, false)
@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
@@ -171,6 +174,10 @@ optional_policy(`
')
optional_policy(`
+ nagios_search_spool(exim_t)
+')
+
+optional_policy(`
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
@@ -184,6 +191,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
')
optional_policy(`
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index f590a1f..87f6bfb 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run fail2ban.
##