rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
3b9467424f
selinux-policy/policy-F16.patch
Dan Walsh 3b9467424f Allow logrotate setuid and setgid since logrotate is supposed to do it 
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:53:11 -04:00

76969 lines
2.2 MiB
Raw Blame History

diff --git a/Makefile b/Makefile
index b8486a0..72a53cc 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
@@ -248,7 +249,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/Rules.modular b/Rules.modular
index 168a14f..c2bf491 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -207,6 +207,7 @@ validate: $(base_pkg) $(mod_pkgs)
@echo "Validating policy linking."
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
@echo "Success."
########################################
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index 16e8b13..87925e6 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -28,9 +28,9 @@ httpd_sys_script_exec_t
.EE
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.EX
-httpd_sys_content_rw_t
+httpd_sys_rw_content_t
.EE
-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
+- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
.EX
httpd_sys_content_ra_t
.EE
diff --git a/policy/constraints b/policy/constraints
index 1308871..c994c93 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -107,9 +107,17 @@ constrain process { transition noatsecure siginh rlimitinh }
constrain process dyntransition
(
- u1 == u2 and r1 == r2
+ u1 == u2
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
+);
+
+constrain process dyntransition
+(
+ r1 == r2
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
);
+
# These permissions do not have ubac constraints:
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index bf24160..468e0fd 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -862,3 +862,12 @@ inherits database
implement
execute
}
+
+class service
+{
+ start
+ stop
+ status
+ reload
+ kill
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a4799..067ecfc 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -131,4 +131,8 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service
+
+
# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
index 111d004..c90e80d 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -6,25 +6,10 @@
## <desc>
## <p>
-## Enabling secure mode disallows programs, such as
+## disallow programs, such as
## newrole, from transitioning to administrative
## user domains.
## </p>
## </desc>
gen_bool(secure_mode,false)
-## <desc>
-## <p>
-## Disable transitions to insmod.
-## </p>
-## </desc>
-gen_bool(secure_mode_insmod,false)
-
-## <desc>
-## <p>
-## boolean to determine whether the system permits loading policy, setting
-## enforcing mode, and changing boolean values. Set this to true and you
-## have to reboot to set it back
-## </p>
-## </desc>
-gen_bool(secure_mode_policyload,false)
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..262b5ba 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
## <desc>
## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execmem,false)
## <desc>
## <p>
-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
## </p>
## </desc>
gen_tunable(allow_execmod,false)
## <desc>
## <p>
-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execstack,false)
@@ -68,15 +68,6 @@ gen_tunable(global_ssp,false)
## <desc>
## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
-## <desc>
-## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
@@ -105,9 +96,24 @@ gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
+## Support fusefs home directories
+## </p>
+## </desc>
+gen_tunable(use_fusefs_home_dirs,false)
+
+## <desc>
+## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users) disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow direct login to the console device. Required for System 390
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
index df8e0fa..ed7a0c1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
@@ -101,6 +105,9 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
+mlsconstrain process { signal }
+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
+
#
# MCS policy for SELinux-enabled databases
#
@@ -144,4 +151,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mcsnetwrite ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { node } { sendto }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mcsnetwrite ));
+
+mlsconstrain packet { send recv }
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
') dnl end enable_mcs
diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
index e66c296..993a1e9 100644
--- a/policy/modules/admin/acct.if
+++ b/policy/modules/admin/acct.if
@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
manage_files_pattern($1, acct_data_t, acct_data_t)
manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
')
+
+########################################
+## <summary>
+## Dontaudit Attempts to list acct_data directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`acct_dontaudit_list_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 63ef90e..a535b31 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -55,6 +55,8 @@ files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
+auth_use_nsswitch(acct_t)
+
init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
@@ -77,10 +79,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(acct_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(acct_t)
')
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 1392679..c94911d 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -206,3 +206,21 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
+
+########################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_filetrans_named_content',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index e3e0701..3fd0282 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -7,11 +7,11 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
-/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 46d467c..53c116c 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -58,7 +58,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:process { getsched setsched setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
allow amanda_t self:unix_dgram_socket create_socket_perms;
@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -200,12 +201,14 @@ files_search_pids(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
logging_search_logs(amanda_recover_t)
miscfiles_read_localization(amanda_recover_t)
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+ fstools_domtrans(amanda_t)
+ fstools_signal(amanda_t)
+')
diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te
index 057abb0..c75e9e9 100644
--- a/policy/modules/admin/amtu.te
+++ b/policy/modules/admin/amtu.te
@@ -23,7 +23,7 @@ files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index e81bdbd..dd1522d 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t)
logging_send_syslog_msg(anaconda_t)
-modutils_domtrans_insmod(anaconda_t)
-modutils_domtrans_depmod(anaconda_t)
-
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
@@ -38,6 +36,10 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(anaconda_t)
+ modutils_domtrans_depmod(anaconda_t)
+')
+optional_policy(`
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
@@ -51,7 +53,7 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(anaconda_t)
+ unconfined_domain_noaudit(anaconda_t)
')
optional_policy(`
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 4044710..3491c7f 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -121,7 +121,7 @@ fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
@@ -134,7 +134,7 @@ seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
# with boolean, for cron-apt and such?
#optional_policy(`
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index 0bfc958..af95b7a 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -70,7 +70,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..e117271 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,9 +1,11 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/installkernel -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/new-kernel-pkg -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 63eb96b..17a9f6d 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
')
+######################################
+## <summary>
+## Execute bootloader in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bootloader_exec',`
+ gen_require(`
+ type bootloader_exec_t;
+ ')
+
+ can_exec($1, bootloader_exec_t)
+')
+
########################################
## <summary>
## Execute bootloader interactively and do
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index d3da8f2..9152065 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
-files_type(bootloader_etc_t)
+files_config_file(bootloader_etc_t)
#
# The temp file is used for initrd creation;
@@ -116,18 +116,18 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
+auth_use_nsswitch(bootloader_t)
+
logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
-modutils_domtrans_insmod_uncond(bootloader_t)
-
seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
-userdom_use_user_terminals(bootloader_t)
+userdom_use_inherited_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
@@ -162,8 +162,10 @@ ifdef(`distro_redhat',`
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
- # for mke2fs
- mount_domtrans(bootloader_t)
+ optional_policy(`
+ # for mke2fs
+ mount_domtrans(bootloader_t)
+ ')
optional_policy(`
unconfined_domain(bootloader_t)
@@ -171,6 +173,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ devicekit_dontaudit_read_pid_files(bootloader_t)
+')
+
+optional_policy(`
fstools_exec(bootloader_t)
')
@@ -197,10 +203,7 @@ optional_policy(`
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
-')
-
-optional_policy(`
- nscd_socket_use(bootloader_t)
+ modutils_domtrans_insmod_uncond(bootloader_t)
')
optional_policy(`
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 2c2cdb6..73b3814 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@ -18,3 +18,28 @@ interface(`brctl_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
+
+#####################################
+## <summary>
+## Execute brctl in the brctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`brctl_run',`
+ gen_require(`
+ type brctl_t, brctl_exec_t;
+ ')
+
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 9a62a1d..eb017ef 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -20,6 +20,11 @@ allow brctl_t self:unix_stream_socket create_stream_socket_perms;
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit brctl_t self:capability sys_module;
+')
+
kernel_request_load_module(brctl_t)
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 6b02433..1e28e62 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -34,8 +34,8 @@ logging_send_syslog_msg(certwatch_t)
miscfiles_read_all_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index 0f57d3b..655d07f 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, consoletype_exec_t, consoletype_t)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit consoletype_t $1:socket_class_set { read write };
- ')
')
########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index cd5e005..50e9ee4 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
-term_use_all_terms(consoletype_t)
+term_use_all_inherited_terms(consoletype_t)
+term_use_ptmx(consoletype_t)
init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
init_rw_script_pipes(consoletype_t)
+init_rw_inherited_script_tmp_files(consoletype_t)
-userdom_use_user_terminals(consoletype_t)
+userdom_use_inherited_user_terminals(consoletype_t)
ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
@@ -79,16 +81,18 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dontaudit_read_pid_files(consoletype_t)
+ devicekit_dontaudit_rw_log(consoletype_t)
+')
+
+optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_rw_pipes(consoletype_t)
')
optional_policy(`
- hal_dontaudit_use_fds(consoletype_t)
- hal_dontaudit_rw_pipes(consoletype_t)
- hal_dontaudit_rw_dgram_sockets(consoletype_t)
- hal_dontaudit_write_log(consoletype_t)
+ hal_dontaudit_leaks(consoletype_t)
')
optional_policy(`
@@ -114,6 +118,7 @@ optional_policy(`
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
+ userdom_dontaudit_rw_dgram_socket(consoletype_t)
')
optional_policy(`
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
index 5e062bc..3cbfffb 100644
--- a/policy/modules/admin/ddcprobe.te
+++ b/policy/modules/admin/ddcprobe.te
@@ -42,10 +42,14 @@ libs_read_lib_files(ddcprobe_t)
miscfiles_read_localization(ddcprobe_t)
-modutils_read_module_deps(ddcprobe_t)
-
-userdom_use_user_terminals(ddcprobe_t)
+userdom_use_inherited_user_terminals(ddcprobe_t)
userdom_use_all_users_fds(ddcprobe_t)
-#reh why? this does not seem even necessary to function properly
-kudzu_getattr_exec_files(ddcprobe_t)
+optional_policy(`
+ #reh why? this does not seem even necessary to function properly
+ kudzu_getattr_exec_files(ddcprobe_t)
+')
+
+optional_policy(`
+ modutils_read_module_deps(ddcprobe_t)
+')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d8..9b39fcd 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
+kernel_read_system_state(dmesg_t)
kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
@@ -47,7 +48,13 @@ logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-userdom_use_user_terminals(dmesg_t)
+userdom_use_inherited_user_terminals(dmesg_t)
+
+optional_policy(`
+ abrt_cache_append(dmesg_t)
+ abrt_rw_fifo_file(dmesg_t)
+ abrt_manage_pid_files(dmesg_t)
+')
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index d6356b5..5db989e 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -27,4 +27,4 @@ files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 6776b69..cae6e96 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -18,7 +18,7 @@ role system_r types dpkg_t;
# lockfile
type dpkg_lock_t;
-files_type(dpkg_lock_t)
+files_lock_file(dpkg_lock_t)
type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)
@@ -161,7 +161,7 @@ seutil_manage_bin_policy(dpkg_t)
sysnet_read_config(dpkg_t)
-userdom_use_user_terminals(dpkg_t)
+userdom_use_inherited_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
@@ -193,14 +193,19 @@ domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
-modutils_domtrans_depmod(dpkg_t)
-modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
+
optional_policy(`
mta_send_mail(dpkg_t)
')
+
+optional_policy(`
+ modutils_domtrans_depmod(dpkg_t)
+ modutils_domtrans_insmod(dpkg_t)
+')
+
optional_policy(`
usermanage_domtrans_groupadd(dpkg_t)
usermanage_domtrans_useradd(dpkg_t)
@@ -282,7 +287,7 @@ selinux_compute_user_contexts(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
-term_use_all_terms(dpkg_script_t)
+term_use_all_inherited_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
@@ -299,9 +304,6 @@ logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_domtrans_depmod(dpkg_script_t)
-modutils_domtrans_insmod(dpkg_script_t)
-
seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)
@@ -321,6 +323,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_depmod(dpkg_script_t)
+ modutils_domtrans_insmod(dpkg_script_t)
+')
+
+optional_policy(`
mta_send_mail(dpkg_script_t)
')
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 8fa451c..f3a67c9 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -85,6 +85,25 @@ interface(`firstboot_dontaudit_use_fds',`
########################################
## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firstboot_dontaudit_leaks',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:socket_class_set { read write };
+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
@@ -98,6 +117,7 @@ interface(`firstboot_write_pipes',`
type firstboot_t;
')
+ allow $1 firstboot_t:fd use;
allow $1 firstboot_t:fifo_file write;
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index c4d8998..f808287 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -19,6 +19,9 @@ role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
+type firstboot_tmp_t;
+files_tmp_file(firstboot_tmp_t)
+
########################################
#
# Local policy
@@ -33,6 +36,10 @@ allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file read_file_perms;
+manage_dirs_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t)
+manage_files_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t)
+files_tmp_filetrans(firstboot_t, firstboot_tmp_t, { dir file })
+
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
@@ -62,6 +69,8 @@ files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
@@ -75,12 +84,9 @@ logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
-modutils_domtrans_insmod(firstboot_t)
-modutils_domtrans_depmod(firstboot_t)
-modutils_read_module_config(firstboot_t)
-modutils_read_module_deps(firstboot_t)
+sysnet_dns_name_resolve(firstboot_t)
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
@@ -103,8 +109,18 @@ optional_policy(`
')
optional_policy(`
+ iptables_domtrans(firstboot_t)
+')
+
+optional_policy(`
nis_use_ypbind(firstboot_t)
')
+optional_policy(`
+ modutils_domtrans_insmod(firstboot_t)
+ modutils_domtrans_depmod(firstboot_t)
+ modutils_read_module_config(firstboot_t)
+ modutils_read_module_deps(firstboot_t)
+')
optional_policy(`
samba_rw_config(firstboot_t)
@@ -113,7 +129,7 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
- unconfined_domain(firstboot_t)
+ unconfined_domain_noaudit(firstboot_t)
')
optional_policy(`
@@ -125,6 +141,7 @@ optional_policy(`
')
optional_policy(`
+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
gnome_manage_config(firstboot_t)
')
@@ -132,4 +149,5 @@ optional_policy(`
xserver_domtrans(firstboot_t)
xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
+ xserver_stream_connect(firstboot_t)
')
diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
index c66934f..1aa1205 100644
--- a/policy/modules/admin/kdump.fc
+++ b/policy/modules/admin/kdump.fc
@@ -1,5 +1,7 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
index 4198ff5..a296bfa 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
+########################################
+## <summary>
+## Execute kdump server in the kdump domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdump_systemctl',`
+ gen_require(`
+ type kdump_unit_file_t;
+ type kdump_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 kdump_unit_file_t:file read_file_perms;
+ allow $1 kdump_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, kdump_t)
+')
+
#####################################
## <summary>
## Read kdump configuration file.
@@ -56,6 +80,24 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+## <summary>
+## Dontaudit read kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kdump_dontaudit_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
+')
+
####################################
## <summary>
## Manage kdump configuration file.
diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
index b29d8e2..bcd9273 100644
--- a/policy/modules/admin/kdump.te
+++ b/policy/modules/admin/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
#####################################
#
# kdump local policy
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 9dd6880..4b7fa27 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -91,7 +91,7 @@ files_read_usr_files(kismet_t)
miscfiles_read_localization(kismet_t)
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index 4f7bd3c..a29af21 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
miscfiles_read_localization(kudzu_t)
-modutils_read_module_config(kudzu_t)
-modutils_read_module_deps(kudzu_t)
-modutils_rename_module_config(kudzu_t)
-modutils_delete_module_config(kudzu_t)
-modutils_domtrans_insmod(kudzu_t)
sysnet_read_config(kudzu_t)
-userdom_use_user_terminals(kudzu_t)
+userdom_use_inherited_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
@@ -128,7 +123,11 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(kudzu_t)
+ modutils_read_module_config(kudzu_t)
+ modutils_read_module_deps(kudzu_t)
+ modutils_rename_module_config(kudzu_t)
+ modutils_delete_module_config(kudzu_t)
+ modutils_domtrans_insmod(kudzu_t)
')
optional_policy(`
@@ -141,5 +140,4 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(kudzu_t)
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 7090dae..db17bbe 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
#
# Change ownership on log files.
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
# for mailx
-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
+dontaudit logrotate_t self:capability { sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
allow logrotate_t self:process setfscreate;
allow logrotate_t self:fd use;
+allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
+files_dontaudit_list_mnt(logrotate_t)
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
+
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
-
-cron_system_entry(logrotate_t, logrotate_exec_t)
-cron_search_spool(logrotate_t)
-
-mta_send_mail(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
@@ -154,6 +155,10 @@ optional_policy(`
')
optional_policy(`
+ awstats_domtrans(logrotate_t)
+')
+
+optional_policy(`
asterisk_domtrans(logrotate_t)
')
@@ -162,10 +167,20 @@ optional_policy(`
')
optional_policy(`
+ callweaver_exec(logrotate_t)
+ callweaver_stream_connect(logrotate_t)
+')
+
+optional_policy(`
consoletype_exec(logrotate_t)
')
optional_policy(`
+ cron_system_entry(logrotate_t, logrotate_exec_t)
+ cron_search_spool(logrotate_t)
+')
+
+optional_policy(`
cups_domtrans(logrotate_t)
')
@@ -200,9 +215,12 @@ optional_policy(`
')
optional_policy(`
- psad_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
')
+optional_policy(`
+ psad_domtrans(logrotate_t)
+')
optional_policy(`
samba_exec_log(logrotate_t)
@@ -228,3 +246,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
+
+#######################################
+#
+# logrotate_mail local policy
+#
+
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
+logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
index 3c7b1e8..1e155f5 100644
--- a/policy/modules/admin/logwatch.fc
+++ b/policy/modules/admin/logwatch.fc
@@ -1,7 +1,11 @@
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 75ce30f..63310a1 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
+type logwatch_var_run_t;
+files_pid_file(logwatch_var_run_t)
+
+mta_base_mail_template(logwatch)
+role system_r types logwatch_mail_t;
+
########################################
#
# Local policy
@@ -39,6 +45,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+allow logwatch_t logwatch_var_run_t:file manage_file_perms;
+files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
+
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
@@ -58,6 +67,7 @@ files_list_var(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
@@ -70,6 +80,8 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
+mls_file_read_to_clearance(logwatch_t)
+
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
@@ -92,11 +104,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
-mta_send_mail(logwatch_t)
+#mta_send_mail(logwatch_t)
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
+ files_getattr_all_files(logwatch_t)
files_getattr_all_file_type_fs(logwatch_t)
')
@@ -145,3 +160,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
+
+########################################
+#
+# Logwatch mail Local policy
+#
+
+allow logwatch_mail_t self:capability { dac_read_search dac_override };
+
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+
+dev_read_rand(logwatch_mail_t)
+dev_read_urand(logwatch_mail_t)
+dev_read_sysfs(logwatch_mail_t)
+
+logging_read_all_logs(logwatch_mail_t)
+
+mta_read_home(logwatch_mail_t)
+
+optional_policy(`
+ cron_use_system_job_fds(logwatch_mail_t)
+')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
index 56c43c0..0641226 100644
--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
@@ -1 +1,5 @@
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index 5671977..ef8bc09 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
type mcelog_t;
type mcelog_exec_t;
+init_system_domain(mcelog_t, mcelog_exec_t)
application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
########################################
#
@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file )
+
kernel_read_system_state(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
files_read_etc_files(mcelog_t)
@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t)
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
+
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 0e19d80..a3a38b1 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+manage_dirs_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file })
+manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
@@ -112,9 +115,10 @@ miscfiles_read_localization(mrtg_t)
selinux_dontaudit_getattr_dir(mrtg_t)
-userdom_use_user_terminals(mrtg_t)
+userdom_use_inherited_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)
diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
index 75ee31d..a28ab46 100644
--- a/policy/modules/admin/ncftool.if
+++ b/policy/modules/admin/ncftool.if
@@ -46,3 +46,31 @@ interface(`ncftool_run',`
brctl_run(ncftool_t, $2)
')
')
+
+########################################
+## <summary>
+## Role access for ncftool
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`ncftool_role',`
+ gen_require(`
+ type ncftool_t;
+ ')
+
+ role $1 types ncftool_t;
+
+ ncftool_domtrans($2)
+
+ ps_process_pattern($2, ncftool_t)
+ allow $2 ncftool_t:process signal;
+')
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
index ec29391..b25d59a 100644
--- a/policy/modules/admin/ncftool.te
+++ b/policy/modules/admin/ncftool.te
@@ -18,9 +18,13 @@ role system_r types ncftool_t;
#
allow ncftool_t self:capability { net_admin sys_ptrace };
+
allow ncftool_t self:process signal;
+
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
allow ncftool_t self:tcp_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
@@ -38,10 +42,14 @@ domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
files_read_etc_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
files_read_usr_files(ncftool_t)
+term_use_all_inherited_terms(ncftool_t)
+
miscfiles_read_localization(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
@@ -50,6 +58,8 @@ sysnet_domtrans_ifconfig(ncftool_t)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
@@ -66,6 +76,7 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
+ iptables_systemctl(ncftool_t)
')
optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..a818e14 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -8,7 +8,7 @@
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761..46e0767 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -42,6 +42,7 @@ interface(`netutils_run',`
')
netutils_domtrans($1)
+ allow $1 netutils_t:process { signal sigkill };
role $2 types netutils_t;
')
@@ -161,6 +162,7 @@ interface(`netutils_run_ping',`
netutils_domtrans_ping($1)
role $2 types ping_t;
+ allow $1 ping_t:process { signal sigkill };
')
########################################
@@ -190,6 +192,7 @@ interface(`netutils_run_ping_cond',`
if ( user_ping ) {
netutils_domtrans_ping($1)
+ allow $1 ping_t:process { signal sigkill };
}
')
@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',`
')
netutils_domtrans_traceroute($1)
+ allow $1 traceroute_t:process { signal sigkill };
role $2 types traceroute_t;
')
@@ -284,6 +288,7 @@ interface(`netutils_run_traceroute_cond',`
if( user_ping ) {
netutils_domtrans_traceroute($1)
+ allow $1 traceroute_t:process { signal sigkill };
}
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index e0791b9..373882d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
+dev_read_usbmon_dev(netutils_t)
+dev_write_usbmon_dev(netutils_t)
+dev_rw_generic_usb_dev(netutils_t)
fs_getattr_xattr_fs(netutils_t)
@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
optional_policy(`
@@ -104,6 +109,8 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
+allow ping_t self:process setcap;
+
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
-userdom_use_user_terminals(ping_t)
-
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
')
')
+term_use_all_inherited_terms(ping_t)
+
+tunable_policy(`user_ping',`
+ term_use_all_ttys(ping_t)
+ term_use_all_ptys(ping_t)
+',`
+ term_dontaudit_use_all_ttys(ping_t)
+ term_dontaudit_use_all_ptys(ping_t)
+')
+
optional_policy(`
munin_append_log(ping_t)
')
optional_policy(`
+ nagios_rw_inerited_tmp_files(ping_t)
+')
+
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -194,6 +213,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
+files_read_usr_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
@@ -204,9 +224,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
-userdom_use_user_terminals(traceroute_t)
-
#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
-files_read_usr_files(traceroute_t)
+
+term_use_all_inherited_terms(traceroute_t)
+
+tunable_policy(`user_ping',`
+ term_use_all_ttys(traceroute_t)
+ term_use_all_ptys(traceroute_t)
+',`
+ term_dontaudit_use_all_ttys(traceroute_t)
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
index f68b573..59ee69c 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
+
+#####################################
+## <summary>
+## Manage passenger var_run content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_manage_pid_content',`
+ gen_require(`
+ type passenger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
index 3470036..41f736e 100644
--- a/policy/modules/admin/passenger.te
+++ b/policy/modules/admin/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.0.0)
+policy_module(passenger, 1.0.0)
########################################
#
@@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir })
+
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
@@ -64,9 +69,12 @@ corecmd_exec_shell(passenger_t)
dev_read_urand(passenger_t)
files_read_etc_files(passenger_t)
+files_read_usr_files(passenger_t)
auth_use_nsswitch(passenger_t)
+logging_send_syslog_msg(passenger_t)
+
miscfiles_read_localization(passenger_t)
userdom_dontaudit_use_user_terminals(passenger_t)
@@ -75,3 +83,9 @@ optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
')
+
+optional_policy(`
+ puppet_manage_lib(passenger_t)
+ puppet_search_log(passenger_t)
+ puppet_search_pid(passenger_t)
+')
diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc
new file mode 100644
index 0000000..6e6a8fc
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.fc
@@ -0,0 +1 @@
+# No file contexts
diff --git a/policy/modules/admin/permissivedomains.if b/policy/modules/admin/permissivedomains.if
new file mode 100644
index 0000000..bd83148
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.if
@@ -0,0 +1 @@
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
index 0000000..a6beb8f
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
@@ -0,0 +1,268 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
+ gen_require(`
+ type polipo_t;
+ ')
+
+ permissive polipo_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type bootloader_t;
+ ')
+
+ permissive bootloader_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type systemd_logger_t;
+ ')
+
+ permissive systemd_logger_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ permissive systemd_logind_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type fcoemon_t;
+ ')
+
+ permissive fcoemon_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type httpd_passwd_t;
+ ')
+
+ permissive httpd_passwd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type puppetca_t;
+ ')
+
+ permissive puppetca_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type spamd_update_t;
+ ')
+
+ permissive spamd_update_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type rhev_agentd_t;
+ ')
+
+ permissive rhev_agentd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type abrt_handle_event_t;
+ ')
+
+ permissive abrt_handle_event_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type cfengine_serverd_t;
+ ')
+
+ permissive cfengine_serverd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type cfengine_execd_t;
+ ')
+
+ permissive cfengine_execd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type cfengine_monitord_t;
+ ')
+
+ permissive cfengine_monitord_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type rhsmcertd_t;
+ ')
+
+ permissive rhsmcertd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type sshd_sandbox_t;
+ ')
+
+ permissive sshd_sandbox_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type fail2ban_client_t;
+ ')
+
+ permissive fail2ban_client_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type ctdbd_t;
+ ')
+
+ permissive ctdbd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type mscan_t;
+ ')
+
+ permissive mscan_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type lldpad_t;
+ ')
+
+ permissive lldpad_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type sblim_gatherd_t;
+ ')
+
+ permissive sblim_gatherd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type sblim_gatherd_t;
+ ')
+
+ permissive sblim_gatherd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type callweaver_t;
+ ')
+
+ permissive callweaver_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type sanlock_t;
+ ')
+
+ permissive sanlock_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type uuidd_t;
+ ')
+
+ permissive uuidd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type wdmd_t;
+ ')
+
+ permissive wdmd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type dspam_t;
+ ')
+
+ permissive dspam_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type virt_lxc_t;
+ ')
+
+ permissive virt_lxc_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ permissive virtd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type pyicqt_t;
+ ')
+
+ permissive pyicqt_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type telepathy_logger_t;
+ ')
+
+ permissive telepathy_logger_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type glance_registry_t;
+ type glance_api_t;
+ ')
+
+ permissive glance_registry_t;
+ permissive glance_api_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ permissive thumb_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type virt_qmf_t;
+ ')
+
+ permissive virt_qmf_t;
+')
+
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -5,12 +5,12 @@
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 9a2c2a1..adde889 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -183,7 +183,7 @@ interface(`portage_compile_domain',`
logging_send_syslog_msg($1)
- userdom_use_user_terminals($1)
+ userdom_use_inherited_user_terminals($1)
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 7f1d18e..a68d519 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -43,7 +43,7 @@ type portage_db_t;
files_type(portage_db_t)
type portage_conf_t;
-files_type(portage_conf_t)
+files_config_file(portage_conf_t)
type portage_cache_t;
files_type(portage_cache_t)
@@ -105,9 +105,11 @@ logging_send_syslog_msg(gcc_config_t)
miscfiles_read_localization(gcc_config_t)
-userdom_use_user_terminals(gcc_config_t)
+userdom_use_inherited_user_terminals(gcc_config_t)
-consoletype_exec(gcc_config_t)
+optional_policy(`
+ consoletype_exec(gcc_config_t)
+')
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
@@ -255,7 +257,7 @@ miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
-userdom_use_user_terminals(portage_fetch_t)
+userdom_use_inherited_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 93ec175..0e42018 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -19,7 +19,6 @@ interface(`prelink_domtrans',`
domtrans_pattern($1, prelink_exec_t, prelink_t)
ifdef(`hide_broken_symptoms', `
- dontaudit prelink_t $1:socket_class_set { read write };
dontaudit prelink_t $1:fifo_file setattr;
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index af55369..e83b341 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
# Local policy
#
-allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
+allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
# prelink misc objects that are not system
# libraries or entrypoints
-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
+storage_getattr_fixed_disk_dev(prelink_t)
+
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
@@ -98,7 +102,14 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
+
+systemd_read_unit_files(prelink_t)
+
+term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
@@ -109,6 +120,15 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(prelink_t)
+ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
+')
+
+optional_policy(`
+ nsplugin_manage_rw_files(prelink_t)
+')
+
+optional_policy(`
rpm_manage_tmp_files(prelink_t)
')
@@ -129,6 +149,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
+ files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
@@ -148,17 +169,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
+ fs_search_cgroup_dirs(prelink_cron_system_t)
+
+ init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
+ init_stream_connect(prelink_cron_system_t)
+
miscfiles_read_localization(prelink_cron_system_t)
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
')
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ dbus_read_config(prelink_t)
+ ')
+')
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index bf75d99..1698e8f 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -83,3 +83,36 @@ interface(`quota_manage_flags',`
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')
+
+########################################
+## <summary>
+## Transition to quota named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`quota_filetrans_named_content',`
+ gen_require(`
+ type quota_db_t;
+ ')
+
+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
+ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
+ files_home_filetrans($1, quota_db_t, file, "aquota.user")
+ files_home_filetrans($1, quota_db_t, file, "aquota.group")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
+ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
+ files_var_filetrans($1, quota_db_t, file, "aquota.user")
+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
+')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index 5dd42f5..f13ac41 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -72,7 +72,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
-userdom_use_user_terminals(quota_t)
+userdom_use_inherited_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
index 7077413..6bc0fa8 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
@@ -1,3 +1,7 @@
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
index 47c4723..64c8889 100644
--- a/policy/modules/admin/readahead.if
+++ b/policy/modules/admin/readahead.if
@@ -1 +1,44 @@
## <summary>Readahead, read files into page cache for improved performance</summary>
+
+########################################
+## <summary>
+## Transition to the readahead domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`readahead_domtrans',`
+ gen_require(`
+ type readahead_t, readahead_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+')
+
+########################################
+## <summary>
+## Manage readahead var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`readahead_manage_pid_files',`
+ gen_require(`
+ type readahead_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ dev_filetrans($1, readahead_var_run_t, { dir file })
+ init_pid_filetrans($1, readahead_var_run_t, { dir file })
+ files_search_pids($1)
+ init_search_pid_dirs($1)
+')
+
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b4ac57e..ef944a4 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
+dev_associate(readahead_var_run_t)
########################################
#
# Local policy
#
-allow readahead_t self:capability { fowner dac_override dac_read_search };
+allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
files_search_var_lib(readahead_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
-files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
+init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
dev_read_sysfs(readahead_t)
+dev_read_kmsg(readahead_t)
+dev_write_kmsg(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
@@ -53,10 +59,18 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
+ dev_dontaudit_write_all_chr_files(readahead_t)
+ dev_dontaudit_write_all_blk_files(readahead_t)
+')
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
@@ -66,12 +80,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
mls_file_read_all_levels(readahead_t)
+mcs_file_read_all(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
@@ -82,6 +98,8 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
+# needs to write to /run/systemd/notify
+init_write_pid_socket(readahead_t)
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index b206bf6..de6d89b 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -6,7 +6,9 @@
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -24,9 +26,14 @@ ifdef(`distro_redhat', `
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -36,6 +43,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index d33daa8..8ba0f86 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -13,10 +13,13 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
+ attribute rpm_transition_domain;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
+ rpm_debuginfo_domtrans($1)
')
########################################
@@ -83,6 +86,11 @@ interface(`rpm_run',`
rpm_domtrans($1)
role $2 types { rpm_t rpm_script_t };
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
+
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
@@ -181,6 +189,41 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t, rpm_var_cache_t;
+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 rpm_t:tcp_socket { read write };
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
+
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
@@ -277,8 +320,7 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
')
########################################
@@ -335,7 +377,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
@@ -354,8 +398,7 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
- files_search_tmp($1)
- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ allow $1 rpm_tmp_t:file append_inherited_file_perms;
')
########################################
@@ -375,7 +418,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
@@ -459,6 +504,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ rpm_read_cache($1)
')
########################################
@@ -516,7 +562,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -576,3 +622,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
+
+########################################
+## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_inherited_fifo',`
+ gen_require(`
+ attribute rpm_transition_domain;
+ ')
+
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+## <summary>
+## Make rpm_exec_t an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_entry_type',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ domain_entry_file($1, rpm_exec_t)
+')
+
+########################################
+## <summary>
+## Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+ gen_require(`
+ type rpm_script_t;
+ attribute rpm_transition_domain;
+ ')
+
+ typeattribute $1 rpm_transition_domain;
+ allow $1 rpm_script_t:process transition;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 47a8f7d..8d3c1d8 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
policy_module(rpm, 1.12.0)
+attribute rpm_transition_domain;
+
########################################
#
# Declarations
#
-
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
@@ -76,6 +77,9 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
+allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
@@ -101,13 +105,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
-files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
+kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
@@ -127,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
+dev_manage_all_dev_nodes(rpm_t)
+
+#devices_manage_all_device_types(rpm_t)
+dev_create_generic_blk_files(rpm_t)
+dev_create_generic_chr_files(rpm_t)
+dev_delete_all_blk_files(rpm_t)
+dev_delete_all_chr_files(rpm_t)
+dev_relabel_all_dev_nodes(rpm_t)
+dev_rename_generic_blk_files(rpm_t)
+dev_rename_generic_chr_files(rpm_t)
+dev_setattr_all_blk_files(rpm_t)
+dev_setattr_all_chr_files(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
@@ -154,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
-auth_relabel_all_files_except_shadow(rpm_t)
-auth_manage_all_files_except_shadow(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
@@ -173,11 +193,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+domain_signull_all_domains(rpm_t)
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
init_use_script_ptys(rpm_t)
+init_signull_script(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
@@ -189,7 +211,7 @@ logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
-userdom_use_user_terminals(rpm_t)
+userdom_use_inherited_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
@@ -207,6 +229,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
+
')
optional_policy(`
@@ -214,7 +237,7 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(rpm_t)
+ unconfined_domain_noaudit(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
@@ -257,12 +280,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
+allow rpm_script_t rpm_t:netlink_route_socket { read write };
+
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
+# needed by rhn_check
+corenet_tcp_connect_http_port(rpm_script_t)
+
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
@@ -299,15 +328,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
-term_use_all_terms(rpm_script_t)
+term_use_all_inherited_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
-auth_manage_all_files_except_shadow(rpm_script_t)
-auth_relabel_shadow(rpm_script_t)
+files_manage_all_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
@@ -332,18 +363,18 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
-modutils_domtrans_depmod(rpm_script_t)
-modutils_domtrans_insmod(rpm_script_t)
-
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
+ mta_system_content(rpm_var_run_t)
')
')
@@ -368,6 +399,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_depmod(rpm_script_t)
+ modutils_domtrans_insmod(rpm_script_t)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
@@ -377,8 +413,9 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(rpm_script_t)
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
index c8ef84b..40ceffb 100644
--- a/policy/modules/admin/sectoolm.te
+++ b/policy/modules/admin/sectoolm.te
@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
-# tests related to network
-hostname_exec(sectoolm_t)
-
-# tests related to network
-iptables_domtrans(sectoolm_t)
-
libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
@@ -84,6 +78,17 @@ logging_send_syslog_msg(sectoolm_t)
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
+
+optional_policy(`
+ # tests related to network
+ hostname_exec(sectoolm_t)
+')
+
+optional_policy(`
+ # tests related to network
+ iptables_domtrans(sectoolm_t)
+')
optional_policy(`
mount_exec(sectoolm_t)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 781ad7e..082f0c5 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -55,28 +55,9 @@ interface(`shorewall_read_config',`
read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
')
-#######################################
-## <summary>
-## Read shorewall PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-#######################################
+######################################
## <summary>
-## Read and write shorewall PID files.
+## Read shorewall /var/lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -84,28 +65,9 @@ interface(`shorewall_read_pid_files',`
## </summary>
## </param>
#
-interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-######################################
-## <summary>
-## Read shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`shorewall_read_lib_files',`
gen_require(`
- type shorewall_t;
+ type shorewall_var_lib_t;
')
files_search_var_lib($1)
@@ -115,12 +77,12 @@ interface(`shorewall_read_lib_files',`
#######################################
## <summary>
-## Read and write shorewall /var/lib files.
+## Read and write shorewall /var/lib files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`shorewall_rw_lib_files',`
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
index 95bce88..1a53b7b 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+allow shorewall_t shorewall_var_lib_t:file entrypoint;
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
@@ -83,13 +86,22 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
+logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
+auth_use_nsswitch(shorewall_t)
+
miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+userdom_use_inherited_user_ttys(shorewall_t)
+userdom_use_inherited_user_ptys(shorewall_t)
+
+optional_policy(`
+ brctl_domtrans(shorewall_t)
+')
optional_policy(`
hostname_exec(shorewall_t)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index d0604cf..95c53c5 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+ optional_policy(`
+ systemd_exec_systemctl($1)
+ init_stream_connect($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
- dontaudit shutdown_t $1:socket_class_set { read write };
- dontaudit shutdown_t $1:fifo_file { read write };
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
')
')
@@ -51,6 +55,73 @@ interface(`shutdown_run',`
########################################
## <summary>
+## Role access for shutdown
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`shutdown_role',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ role $1 types shutdown_t;
+
+ shutdown_domtrans($2)
+
+ ps_process_pattern($2, shutdown_t)
+ allow $2 shutdown_t:process signal;
+')
+
+########################################
+## <summary>
+## Recieve sigchld from shutdown
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`shutdown_send_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow shutdown_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## shutdown over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_dbus_chat',`
+ gen_require(`
+ type shutdown_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 shutdown_t:dbus send_msg;
+ allow shutdown_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Get attributes of shutdown executable.
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index 8966ec9..8fbe943 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
type shutdown_t;
type shutdown_exec_t;
+init_system_domain(shutdown_t, shutdown_exec_t)
application_domain(shutdown_t, shutdown_exec_t)
role system_r types shutdown_t;
@@ -21,8 +22,8 @@ files_pid_file(shutdown_var_run_t)
# shutdown local policy
#
-allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
-allow shutdown_t self:process { fork signal signull };
+allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
+allow shutdown_t self:process { fork setsched signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+kernel_read_system_state(shutdown_t)
+
domain_use_interactive_fds(shutdown_t)
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
-term_use_all_terms(shutdown_t)
+mls_file_write_to_clearance(shutdown_t)
+
+term_use_all_inherited_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
-init_dontaudit_write_utmp(shutdown_t)
-init_read_utmp(shutdown_t)
+init_rw_utmp(shutdown_t)
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
+ cron_system_entry(shutdown_t, shutdown_exec_t)
+')
+
+optional_policy(`
dbus_system_bus_client(shutdown_t)
dbus_connect_system_bus(shutdown_t)
')
optional_policy(`
+ oddjob_dontaudit_rw_fifo_file(shutdown_t)
+ oddjob_sigchld(shutdown_t)
+')
+
+optional_policy(`
+ rhev_sigchld_agentd(shutdown_t)
+')
+
+optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
index bc00875..2efc0d7 100644
--- a/policy/modules/admin/smoltclient.te
+++ b/policy/modules/admin/smoltclient.te
@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
type smoltclient_t;
type smoltclient_exec_t;
application_domain(smoltclient_t, smoltclient_exec_t)
-cron_system_entry(smoltclient_t, smoltclient_exec_t)
type smoltclient_tmp_t;
files_tmp_file(smoltclient_tmp_t)
@@ -39,6 +38,7 @@ corecmd_exec_shell(smoltclient_t)
corenet_tcp_connect_http_port(smoltclient_t)
dev_read_sysfs(smoltclient_t)
+dev_read_urand(smoltclient_t)
fs_getattr_all_fs(smoltclient_t)
fs_getattr_all_dirs(smoltclient_t)
@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_files(smoltclient_t)
+files_read_etc_runtime_files(smoltclient_t)
files_read_usr_files(smoltclient_t)
auth_use_nsswitch(smoltclient_t)
logging_send_syslog_msg(smoltclient_t)
+miscfiles_read_hwdata(smoltclient_t)
miscfiles_read_localization(smoltclient_t)
optional_policy(`
+ abrt_stream_connect(smoltclient_t)
+')
+
+optional_policy(`
+ cron_system_entry(smoltclient_t, smoltclient_exec_t)
+')
+
+optional_policy(`
dbus_system_bus_client(smoltclient_t)
')
diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if
index 94c01b5..f64bd93 100644
--- a/policy/modules/admin/sosreport.if
+++ b/policy/modules/admin/sosreport.if
@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
type sosreport_tmp_t;
')
- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+ allow $1 sosreport_tmp_t:file append_inherited_file_perms;
')
########################################
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index fe1c377..557e37f 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
# some config files do not have configfile attribute
# sosreport needs to read various files on system
-auth_read_all_files_except_shadow(sosreport_t)
+files_read_non_security_files(sosreport_t)
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t)
miscfiles_read_localization(sosreport_t)
-# needed by modinfo
-modutils_read_module_deps(sosreport_t)
-
sysnet_read_config(sosreport_t)
optional_policy(`
@@ -110,6 +107,11 @@ optional_policy(`
')
optional_policy(`
+ # needed by modinfo
+ modutils_read_module_deps(sosreport_t)
+')
+
+optional_policy(`
fstools_domtrans(sosreport_t)
')
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 8c5fa3c..ce3d33a 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -119,11 +119,6 @@ template(`su_restricted_domain_template', `
userdom_spec_domtrans_unpriv_users($1_su_t)
')
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $2:socket_class_set { read write };
- ')
-
optional_policy(`
cron_read_pipes($1_su_t)
')
@@ -210,7 +205,7 @@ template(`su_role_template',`
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
+ auth_use_pam($1_su_t)
auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t)
@@ -234,6 +229,7 @@ template(`su_role_template',`
userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
+ userdom_search_admin_dir($1_su_t)
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
@@ -279,11 +275,6 @@ template(`su_role_template',`
')
')
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $3:socket_class_set { read write };
- ')
-
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
+++ b/policy/modules/admin/sudo.fc
@@ -1,2 +1,4 @@
/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 975af1a..bcc4481 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
+ type sudo_db_t;
attribute sudodomain;
')
@@ -47,6 +48,15 @@ template(`sudo_role_template',`
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
+ type $1_sudo_tmp_t;
+ files_tmp_file($1_sudo_tmp_t)
+
+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
+
+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
##############################
#
# Local Policy
@@ -76,6 +86,11 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
+ userdom_domtrans_user_home($1_sudo_t, $3)
+ userdom_domtrans_user_tmp($1_sudo_t, $3)
+ domain_entry_file($3, sudo_exec_t)
+ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
+
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
@@ -113,12 +128,15 @@ template(`sudo_role_template',`
term_getattr_pty_fs($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
auth_use_nsswitch($1_sudo_t)
+ application_signal($1_sudo_t)
+
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
@@ -126,7 +144,7 @@ template(`sudo_role_template',`
miscfiles_read_localization($1_sudo_t)
- seutil_search_default_contexts($1_sudo_t)
+ seutil_read_default_contexts($1_sudo_t)
seutil_libselinux_linked($1_sudo_t)
userdom_spec_domtrans_all_users($1_sudo_t)
@@ -135,12 +153,13 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
+ userdom_signal_all_users($1_sudo_t)
# for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_search_user_home_content($1_sudo_t)
+ userdom_search_admin_dir($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
- ifdef(`hide_broken_symptoms', `
- dontaudit $1_sudo_t $3:socket_class_set { read write };
- ')
+ mta_role($2, $1_sudo_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 2731fa1..3443ba2 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index d5aaf0e..6b16aef 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
-auth_read_all_files_except_shadow(sxid_t)
+files_read_non_security_files(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
@@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t)
miscfiles_read_localization(sxid_t)
-mount_exec(sxid_t)
-
sysnet_read_config(sxid_t)
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
-cron_system_entry(sxid_t, sxid_exec_t)
+optional_policy(`
+ cron_system_entry(sxid_t, sxid_exec_t)
+')
+
+optional_policy(`
+ mount_exec(sxid_t)
+')
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 6a5004b..90cf622 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
type tmpreaper_t;
type tmpreaper_exec_t;
+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
+files_delete_usr_dirs(tmpreaper_t)
+files_delete_usr_files(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_setattr_usr_dirs(tmpreaper_t)
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
+mcs_file_read_all(tmpreaper_t)
+mcs_file_write_all(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
-cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+optional_policy(`
+ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+')
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
- userdom_delete_user_home_content_dirs(tmpreaper_t)
- userdom_delete_user_home_content_files(tmpreaper_t)
- userdom_delete_user_home_content_symlinks(tmpreaper_t)
+ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_all_user_home_content_files(tmpreaper_t)
+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
+ userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
+ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
')
optional_policy(`
@@ -52,7 +62,9 @@ optional_policy(`
')
optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
apache_list_cache(tmpreaper_t)
+ apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
@@ -66,9 +78,13 @@ optional_policy(`
')
optional_policy(`
- rpm_manage_cache(tmpreaper_t)
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
+ sandbox_delete_sock_files(tmpreaper_t)
+ sandbox_setattr_dirs(tmpreaper_t)
')
optional_policy(`
- unconfined_domain(tmpreaper_t)
+ rpm_manage_cache(tmpreaper_t)
')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
index 2ae8b62..a8e786b 100644
--- a/policy/modules/admin/tripwire.te
+++ b/policy/modules/admin/tripwire.te
@@ -80,7 +80,7 @@ files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
-userdom_use_user_terminals(tripwire_t)
+userdom_use_inherited_user_terminals(tripwire_t)
optional_policy(`
cron_system_entry(tripwire_t, tripwire_exec_t)
@@ -101,7 +101,7 @@ logging_send_syslog_msg(twadmin_t)
miscfiles_read_localization(twadmin_t)
-userdom_use_user_terminals(twadmin_t)
+userdom_use_inherited_user_terminals(twadmin_t)
########################################
#
@@ -127,7 +127,7 @@ logging_send_syslog_msg(twprint_t)
miscfiles_read_localization(twprint_t)
-userdom_use_user_terminals(twprint_t)
+userdom_use_inherited_user_terminals(twprint_t)
########################################
#
@@ -143,4 +143,4 @@ logging_send_syslog_msg(siggen_t)
miscfiles_read_localization(siggen_t)
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index d0f2a64..834a56d 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
# tzdata local policy
#
-files_read_etc_files(tzdata_t)
+files_read_config_files(tzdata_t)
files_search_spool(tzdata_t)
fs_getattr_xattr_fs(tzdata_t)
@@ -28,7 +28,7 @@ miscfiles_read_localization(tzdata_t)
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
-userdom_use_user_terminals(tzdata_t)
+userdom_use_inherited_user_terminals(tzdata_t)
# tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(`
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
index ef12ed5..2c013c4 100644
--- a/policy/modules/admin/updfstab.te
+++ b/policy/modules/admin/updfstab.te
@@ -78,9 +78,8 @@ seutil_read_file_contexts(updfstab_t)
userdom_dontaudit_search_user_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
-optional_policy(`
- auth_domtrans_pam_console(updfstab_t)
-')
+auth_use_nsswitch(updfstab_t)
+auth_domtrans_pam_console(updfstab_t)
optional_policy(`
init_dbus_chat_script(updfstab_t)
@@ -104,10 +103,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(updfstab_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(updfstab_t)
')
diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
index 74354da..f04565f 100644
--- a/policy/modules/admin/usbmodules.te
+++ b/policy/modules/admin/usbmodules.te
@@ -34,9 +34,7 @@ init_use_fds(usbmodules_t)
miscfiles_read_hwdata(usbmodules_t)
-modutils_read_module_deps(usbmodules_t)
-
-userdom_use_user_terminals(usbmodules_t)
+userdom_use_inherited_user_terminals(usbmodules_t)
optional_policy(`
hotplug_read_config(usbmodules_t)
@@ -45,3 +43,7 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(usbmodules_t)
')
+
+optional_policy(`
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index c467144..fb794f9 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -10,7 +10,7 @@ ifdef(`distro_gentoo',`
/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+/usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 81fb26f..66cf96c 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
corecmd_search_bin($1)
domtrans_pattern($1, chfn_exec_t, chfn_t)
-
- ifdef(`hide_broken_symptoms',`
- dontaudit chfn_t $1:socket_class_set { read write };
- ')
')
########################################
@@ -65,10 +61,25 @@ interface(`usermanage_domtrans_groupadd',`
corecmd_search_bin($1)
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
+')
- ifdef(`hide_broken_symptoms',`
- dontaudit groupadd_t $1:socket_class_set { read write };
+########################################
+## <summary>
+## Check access to the groupadd executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_access_check_groupadd',`
+ gen_require(`
+ type groupadd_exec_t;
')
+
+ corecmd_search_bin($1)
+ allow $1 groupadd_exec_t:file { getattr_file_perms execute };
')
########################################
@@ -118,10 +129,6 @@ interface(`usermanage_domtrans_passwd',`
corecmd_search_bin($1)
domtrans_pattern($1, passwd_exec_t, passwd_t)
-
- ifdef(`hide_broken_symptoms',`
- dontaudit passwd_t $1:socket_class_set { read write };
- ')
')
########################################
@@ -170,6 +177,25 @@ interface(`usermanage_run_passwd',`
########################################
## <summary>
+## Check access to the passwd executable
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_access_check_passwd',`
+ gen_require(`
+ type passwd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 passwd_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+## <summary>
## Execute password admin functions in
## the admin passwd domain.
## </summary>
@@ -254,10 +280,6 @@ interface(`usermanage_domtrans_useradd',`
corecmd_search_bin($1)
domtrans_pattern($1, useradd_exec_t, useradd_t)
-
- ifdef(`hide_broken_symptoms',`
- dontaudit useradd_t $1:socket_class_set { read write };
- ')
')
########################################
@@ -285,6 +307,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
+ # Add/remove user home directories
+ userdom_manage_home_role($2, useradd_t)
+
seutil_run_semanage(useradd_t, $2)
optional_policy(`
@@ -294,6 +319,25 @@ interface(`usermanage_run_useradd',`
########################################
## <summary>
+## Check access to the useradd executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_access_check_useradd',`
+ gen_require(`
+ type useradd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 useradd_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+## <summary>
## Read the crack database.
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 441cf22..4779a8d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
-term_use_all_ttys(chfn_t)
-term_use_all_ptys(chfn_t)
+term_use_all_inherited_ttys(chfn_t)
+term_use_all_inherited_ptys(chfn_t)
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
+dev_dontaudit_getattr_all(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_use_pam(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
+optional_policy(`
+ rssh_exec(chfn_t)
+')
+
########################################
#
# Crack local policy
@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
-term_use_all_ttys(groupadd_t)
-term_use_all_ptys(groupadd_t)
+term_use_all_inherited_terms(groupadd_t)
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
+dev_dontaudit_getattr_all(passwd_t)
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
-term_use_all_ttys(passwd_t)
-term_use_all_ptys(passwd_t)
+term_use_all_inherited_terms(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
+corecmd_exec_bin(passwd_t)
+
+corenet_tcp_connect_kerberos_password_port(passwd_t)
domain_use_interactive_fds(passwd_t)
@@ -311,6 +315,8 @@ files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
+term_search_ptys(passwd_t)
+
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
-userdom_use_user_terminals(passwd_t)
+userdom_use_inherited_user_terminals(passwd_t)
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
optional_policy(`
nscd_domtrans(passwd_t)
@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
-term_use_all_ttys(sysadm_passwd_t)
-term_use_all_ptys(sysadm_passwd_t)
+term_use_all_inherited_terms(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
@@ -426,7 +432,7 @@ optional_policy(`
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
+kernel_getattr_core_if(useradd_t)
+dev_dontaudit_getattr_all(useradd_t)
+
domain_use_interactive_fds(useradd_t)
domain_read_all_domains_state(useradd_t)
+domain_dontaudit_read_all_domains_state(useradd_t)
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
+mls_process_read_to_clearance(useradd_t)
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
-term_use_all_ttys(useradd_t)
-term_use_all_ptys(useradd_t)
+term_use_all_inherited_terms(useradd_t)
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
mta_manage_spool(useradd_t)
-ifdef(`distro_redhat',`
- optional_policy(`
- unconfined_domain(useradd_t)
- ')
-')
-
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ebf4b26..b58c822 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -7,8 +7,8 @@ policy_module(vpn, 1.14.0)
type vpnc_t;
type vpnc_exec_t;
+init_system_domain(vpnc_t, vpnc_exec_t)
application_domain(vpnc_t, vpnc_exec_t)
-role system_r types vpnc_t;
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
@@ -21,7 +21,7 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -77,8 +77,8 @@ domain_use_interactive_fds(vpnc_t)
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
-term_use_all_ptys(vpnc_t)
-term_use_all_ttys(vpnc_t)
+term_use_all_inherited_ptys(vpnc_t)
+term_use_all_inherited_ttys(vpnc_t)
corecmd_exec_all_executables(vpnc_t)
@@ -89,6 +89,8 @@ files_dontaudit_search_home(vpnc_t)
auth_use_nsswitch(vpnc_t)
+init_dontaudit_use_fds(vpnc_t)
+
libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)
@@ -106,7 +108,8 @@ sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
+userdom_search_admin_dir(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
index 39c75fb..057d8b1 100644
--- a/policy/modules/apps/ada.te
+++ b/policy/modules/apps/ada.te
@@ -17,7 +17,7 @@ role system_r types ada_t;
allow ada_t self:process { execstack execmem };
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
optional_policy(`
unconfined_domain(ada_t)
diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc
index 48cf11b..9787bd4 100644
--- a/policy/modules/apps/authbind.fc
+++ b/policy/modules/apps/authbind.fc
@@ -1,3 +1,3 @@
/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
+/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
index 283ff0d..53f9ba1 100644
--- a/policy/modules/apps/awstats.if
+++ b/policy/modules/apps/awstats.if
@@ -5,6 +5,25 @@
########################################
## <summary>
+## Execute the awstats program in the awstats domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`awstats_domtrans',`
+ gen_require(`
+ type awstats_t, awstats_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, awstats_exec_t, awstats_t)
+')
+
+########################################
+## <summary>
## Read and write awstats unnamed pipes.
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 46ea44f..f7183ef 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -56,7 +56,7 @@ logging_send_syslog_msg(cdrecord_t)
miscfiles_read_localization(cdrecord_t)
# write to the user domain tty.
-userdom_use_user_terminals(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
userdom_read_user_home_content_files(cdrecord_t)
# Handle nfs home dirs
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
index 0000000..1f468aa
--- /dev/null
+++ b/policy/modules/apps/chrome.fc
@@ -0,0 +1,3 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
index 0000000..bacc639
--- /dev/null
+++ b/policy/modules/apps/chrome.if
@@ -0,0 +1,127 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+
+ allow $1 chrome_sandbox_t:fd use;
+
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
+')
+
+
+########################################
+## <summary>
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the chrome_sandbox domain.
+## </summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+')
+
+########################################
+## <summary>
+## Role access for chrome sandbox
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chrome_role_notrans',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Role access for chrome sandbox
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chrome_role',`
+ chrome_role_notrans($1, $2)
+ chrome_domtrans_sandbox($2)
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
index 0000000..df2b2a9
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,125 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+userdom_rw_user_tmpfs_files(chrome_sandbox_t)
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+ execmem_execmod(chrome_sandbox_t)
+')
+
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
+ fs_exec_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_files(chrome_sandbox_t)
+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_exec_cifs_files(chrome_sandbox_t)
+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(chrome_sandbox_t)
+ fs_read_fusefs_files(chrome_sandbox_t)
+ fs_exec_fusefs_files(chrome_sandbox_t)
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 37475dd..7db4a01 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
kernel_read_system_state(cpufreqselector_t)
@@ -27,10 +28,12 @@ corecmd_search_bin(cpufreqselector_t)
dev_rw_sysfs(cpufreqselector_t)
+kernel_read_system_state(cpufreqselector_t)
+
miscfiles_read_localization(cpufreqselector_t)
userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -53,3 +56,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index cd70958..e8c94b1 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -202,6 +202,8 @@ files_read_var_files(evolution_t)
fs_search_auto_mountpoints(evolution_t)
+auth_use_nsswitch(evolution_t)
+
logging_send_syslog_msg(evolution_t)
miscfiles_read_localization(evolution_t)
@@ -215,7 +217,7 @@ userdom_rw_user_tmp_files(evolution_t)
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_sockets(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
-userdom_use_user_terminals(evolution_t)
+userdom_use_inherited_user_terminals(evolution_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
@@ -319,15 +321,6 @@ optional_policy(`
mozilla_domtrans(evolution_t)
')
-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
-optional_policy(`
- nis_use_ypbind(evolution_t)
-')
-
-optional_policy(`
- nscd_socket_use(evolution_t)
-')
-
### Junk mail filtering (start spamd)
optional_policy(`
spamassassin_exec_spamd(evolution_t)
@@ -376,6 +369,8 @@ files_read_usr_files(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
+auth_use_nsswitch(evolution_alarm_t)
+
miscfiles_read_localization(evolution_alarm_t)
# Access evolution home
@@ -404,10 +399,6 @@ optional_policy(`
gnome_stream_connect_gconf(evolution_alarm_t)
')
-optional_policy(`
- nscd_socket_use(evolution_alarm_t)
-')
-
########################################
#
# Evolution exchange connector local policy
@@ -459,6 +450,8 @@ files_read_usr_files(evolution_exchange_t)
# Access evolution home
fs_search_auto_mountpoints(evolution_exchange_t)
+auth_use_nsswitch(evolution_exchange_t)
+
miscfiles_read_localization(evolution_exchange_t)
userdom_write_user_tmp_sockets(evolution_exchange_t)
@@ -484,10 +477,6 @@ optional_policy(`
gnome_stream_connect_gconf(evolution_exchange_t)
')
-optional_policy(`
- nscd_socket_use(evolution_exchange_t)
-')
-
########################################
#
# Evolution data server local policy
@@ -539,6 +528,8 @@ files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
+auth_use_nsswitch(evolution_server_t)
+
miscfiles_read_localization(evolution_server_t)
# Look in /etc/pki
miscfiles_read_generic_certs(evolution_server_t)
@@ -568,10 +559,6 @@ optional_policy(`
gnome_stream_connect_gconf(evolution_server_t)
')
-optional_policy(`
- nscd_socket_use(evolution_server_t)
-')
-
########################################
#
# Evolution webcal local policy
@@ -600,6 +587,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
corenet_sendrecv_http_client_packets(evolution_webcal_t)
corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+auth_use_nsswitch(evolution_webcal_t)
+
# Networking capability - connect to website and handle ics link
sysnet_read_config(evolution_webcal_t)
sysnet_dns_name_resolve(evolution_webcal_t)
@@ -612,7 +601,3 @@ userdom_search_user_home_dirs(evolution_webcal_t)
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
-
-optional_policy(`
- nscd_socket_use(evolution_webcal_t)
-')
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
index 0000000..6f3570a
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
index 0000000..e23f640
--- /dev/null
+++ b/policy/modules/apps/execmem.if
@@ -0,0 +1,132 @@
+## <summary>execmem domain</summary>
+
+########################################
+## <summary>
+## Execute the execmem program
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`execmem_exec',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+#######################################
+## <summary>
+## The role template for the execmem module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for execmem applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`execmem_role_template',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ type $1_execmem_t;
+ domain_type($1_execmem_t)
+ domain_entry_file($1_execmem_t, execmem_exec_t)
+ role $2 types $1_execmem_t;
+
+ userdom_unpriv_usertype($1, $1_execmem_t)
+ userdom_manage_tmp_role($2, $1_execmem_t)
+ userdom_manage_tmpfs_role($2, $1_execmem_t)
+
+ allow $1_execmem_t self:process { execmem execstack };
+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+
+ files_execmod_tmp($1_execmem_t)
+
+ allow $3 execmem_exec_t:file execmod;
+ allow $1_execmem_t execmem_exec_t:file execmod;
+
+ # needed by plasma-desktop
+ optional_policy(`
+ gnome_read_usr_config($1_execmem_t)
+ ')
+
+ optional_policy(`
+ mozilla_execmod_user_home_files($1_execmem_t)
+ ')
+
+ optional_policy(`
+ nsplugin_rw_shm($1_execmem_t)
+ nsplugin_rw_semaphores($1_execmem_t)
+ ')
+
+ optional_policy(`
+ xserver_role($2, $1_execmem_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute a execmem_exec file
+## in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`execmem_domtrans',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Execmod the execmem_exec applications
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`execmem_execmod',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ allow $1 execmem_exec_t:file execmod;
+')
+
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
new file mode 100644
index 0000000..a7d37e2
--- /dev/null
+++ b/policy/modules/apps/execmem.te
@@ -0,0 +1,10 @@
+policy_module(execmem, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+
diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc
new file mode 100644
index 0000000..ce498b3
--- /dev/null
+++ b/policy/modules/apps/firewallgui.fc
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if
new file mode 100644
index 0000000..2bd5790
--- /dev/null
+++ b/policy/modules/apps/firewallgui.if
@@ -0,0 +1,41 @@
+
+## <summary>policy for firewallgui</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dbus_chat',`
+ gen_require(`
+ type firewallgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write firewallgui unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dontaudit_rw_pipes',`
+ gen_require(`
+ type firewallgui_t;
+ ')
+
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
index 0000000..86b640d
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
@@ -0,0 +1,72 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
+
+########################################
+#
+# firewallgui local policy
+#
+
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
+kernel_read_system_state(firewallgui_t)
+kernel_read_network_state(firewallgui_t)
+kernel_rw_net_sysctls(firewallgui_t)
+kernel_rw_kernel_sysctl(firewallgui_t)
+kernel_rw_vm_sysctls(firewallgui_t)
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
+
+dev_read_urand(firewallgui_t)
+dev_read_sysfs(firewallgui_t)
+
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_read_etc_files(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
+
+auth_use_nsswitch(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
+
+optional_policy(`
+ consoletype_exec(firewallgui_t)
+')
+
+optional_policy(`
+ gnome_read_gconf_home_files(firewallgui_t)
+')
+
+optional_policy(`
+ iptables_domtrans(firewallgui_t)
+ iptables_initrc_domtrans(firewallgui_t)
+ iptables_systemctl(firewallgui_t)
+')
+
+optional_policy(`
+ modutils_getattr_module_deps(firewallgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 6e4add5..10a2ce4 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -132,7 +132,7 @@ miscfiles_read_localization(giftd_t)
sysnet_read_config(giftd_t)
-userdom_use_user_terminals(giftd_t)
+userdom_use_inherited_user_terminals(giftd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(giftd_t)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 00a19e3..9f6139c 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,9 +1,45 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index f5afe78..9a0377f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,768 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
+###########################################################
## <summary>
-## Role access for gnome
+## Role access for gnome
## </summary>
## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`gnome_role',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
+ ')
+
+ role $1 types gconfd_t;
+
+ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+ allow gconfd_t $2:fd use;
+ allow gconfd_t $2:fifo_file write;
+ allow gconfd_t $2:unix_stream_socket connectto;
+
+ ps_process_pattern($2, gconfd_t)
+
+ #gnome_stream_connect_gconf_template($1, $2)
+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+ allow $2 gconfd_t:unix_stream_socket connectto;
+')
+
+######################################
+## <summary>
+## The role template for the gnome-keyring-daemon.
+## </summary>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+interface(`gnome_role_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ attribute gnome_domain;
+ type gnome_home_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+ class dbus send_msg;
+ ')
+
+ type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
+ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
+ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ ubac_constrained($1_gkeyringd_t)
+ domain_user_exemption_target($1_gkeyringd_t)
+
+ role $2 types $1_gkeyringd_t;
+
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
+
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+ ps_process_pattern($1_gkeyringd_t, $3)
+
+ auth_use_nsswitch($1_gkeyringd_t)
+
+ ps_process_pattern($3, $1_gkeyringd_t)
+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
+ optional_policy(`
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_home_dir_filetrans($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+
+ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## gconf connection template.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gconf',`
+ gen_require(`
+ type gconfd_t, gconf_tmp_t;
+ ')
+
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Connect to gkeyringd with a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ ')
+
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Connect to gkeyringd with a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ ')
+
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Run gconfd in gconfd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_domtrans_gconfd',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ ')
+
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+')
+
+########################################
+## <summary>
+## Dontaudit read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_read_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit search gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_search_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+ gen_require(`
+ attribute gnome_domain;
+ ')
+
+ allow $1 gnome_domain:process signal;
+')
+
+########################################
+## <summary>
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_cache_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ read_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set attributes of cache home dir (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_cache_home_dir',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_write_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ write_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_rw_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
+## <summary>
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_data_filetrans',`
+ gen_require(`
+ type data_home_t;
+ ')
+
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
+')
+
+#######################################
+## <summary>
+## Manage gconf data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_data',`
+ gen_require(`
+ type data_home_t;
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Read icc data home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_home_icc_data_content',`
+ gen_require(`
+ type icc_data_home_t, gconf_home_t, data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
+')
+
+########################################
+## <summary>
+## Read inherited icc data home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
+ type icc_data_home_t;
+ ')
+
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## inherited gconf config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## read gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Manage gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Read gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## search gconf homedir (.local)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access
+## Domain allowed access.
## </summary>
## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Manage generic gnome home files.
+## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_role',`
+interface(`gnome_manage_generic_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
+ type gnome_home_t;
')
- role $1 types gconfd_t;
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+## Manage generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
+## Append gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
+## manage gconf home files
## </summary>
## <param name="domain">
## <summary>
@@ -46,37 +770,60 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
+interface(`gnome_manage_gconf_home_files',`
gen_require(`
- type gconfd_exec_t;
+ type gconf_home_t;
')
- can_exec($1, gconfd_exec_t)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## Read gconf config files.
+## Connect to gnome over an unix stream socket.
## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
## <param name="user_domain">
## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+## list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
+interface(`gnome_list_home_config',`
gen_require(`
- type gconf_etc_t;
+ type config_home_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
+ allow $1 config_home_t:dir list_dir_perms;
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
+## Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
@@ -84,37 +831,38 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_setattr_home_config',`
gen_require(`
- type gconf_etc_t;
+ type config_home_t;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## gconf connection template.
+## read gnome homedir content (.config)
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_read_home_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ type config_home_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
+## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
@@ -122,17 +870,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_manage_home_config',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type config_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ manage_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Set attributes of Gnome config dirs.
+## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
@@ -140,51 +888,335 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
-interface(`gnome_setattr_config_dirs',`
+interface(`gnome_manage_home_config_dirs',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
')
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
+ manage_dirs_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Read gnome homedir content (.config)
+## manage gstreamer home content files.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_config',`
+interface(`gnome_manage_gstreamer_home_files',`
gen_require(`
- type gnome_home_t;
+ type gstreamer_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
')
########################################
## <summary>
-## manage gnome homedir content (.config)
+## Read/Write all inherited gnome home config
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_manage_config',`
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gconf system service over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+ gen_require(`
+ type gconfdefaultsm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gkeyringd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send signull signal to gkeyringd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signull_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+## <summary>
+## Allow the domain to read gkeyringd state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gkeyringd_state',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Create directories in user home directories
+## with the gnome home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
gen_require(`
type gnome_home_t;
')
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
userdom_search_user_home_dirs($1)
')
+
+######################################
+## <summary>
+## Allow read kde config content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+## <summary>
+## Allow manage kde config content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+## <summary>
+## Execute gnome-keyring in the user gkeyring domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the gkeyring domain.
+## </summary>
+## </param>
+#
+interface(`gnome_transition_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process transition;
+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+ allow gkeyringd_domain $1:process { sigchld signull };
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+## <summary>
+## Create gnome content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type data_home_t, icc_data_home_t;
+ type gkeyringd_gnome_home_t;
+')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # ~/.color/icc: legacy
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
+## <summary>
+## Create gnome directory in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type icc_data_home_t;
+')
+
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+######################################
+## <summary>
+## Execute gnome-keyring executable
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ allow $2 gkeyringd_exec_t:file entrypoint;
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 2505654..c365443 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
# Declarations
#
-attribute gnomedomain;
+attribute gnome_domain;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
type gconf_etc_t;
files_config_file(gconf_etc_t)
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -23,19 +40,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)
-type gconfd_t, gnomedomain;
+type gconfd_t, gnome_domain;
type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+# type KDE /usr/share/config files
+type config_usr_t;
+files_type(config_usr_t)
+
+type gkeyringd_exec_t;
+corecmd_executable_file(gkeyringd_exec_t)
+
+type gkeyringd_gnome_home_t;
+userdom_user_home_content(gkeyringd_gnome_home_t)
+
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
##############################
#
# Local Policy
@@ -75,3 +113,168 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
+
+#######################################
+#
+# gconf-defaults-mechanisms local policy
+#
+
+allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gconfdefaultsm_t)
+
+files_read_etc_files(gconfdefaultsm_t)
+files_read_usr_files(gconfdefaultsm_t)
+
+miscfiles_read_localization(gconfdefaultsm_t)
+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(gconfdefaultsm_t)
+ policykit_dbus_chat(gconfdefaultsm_t)
+ policykit_read_lib(gconfdefaultsm_t)
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gconfdefaultsm_t)
+ fs_manage_nfs_files(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gconfdefaultsm_t)
+ fs_manage_cifs_files(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomesystemmm_t)
+ policykit_domtrans_auth(gnomesystemmm_t)
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
+
+######################################
+#
+# gnome-keyring-daemon local policy
+#
+
+allow gkeyringd_domain self:capability ipc_lock;
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+
+kernel_read_system_state(gkeyringd_domain)
+kernel_read_crypto_sysctls(gkeyringd_domain)
+
+corecmd_search_bin(gkeyringd_domain)
+
+dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
+
+files_read_etc_files(gkeyringd_domain)
+files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
+
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
+
+selinux_getattr_fs(gkeyringd_domain)
+
+logging_send_syslog_msg(gkeyringd_domain)
+
+miscfiles_read_localization(gkeyringd_domain)
+
+optional_policy(`
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
+ xserver_use_xdm_fds(gkeyringd_domain)
+')
+
+optional_policy(`
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_read_generic_cache_files(gkeyringd_domain)
+ gnome_write_generic_cache_files(gkeyringd_domain)
+')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+domain_use_interactive_fds(gnome_domain)
+
+userdom_use_inherited_user_terminals(gnome_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(gkeyringd_domain)
+ fs_manage_nfs_dirs(gkeyringd_domain)
+ fs_manage_nfs_files(gkeyringd_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gkeyringd_domain)
+ fs_manage_cifs_files(gkeyringd_domain)
+')
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..6864b58 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -1,9 +1,10 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
-/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 40e0a2a..93d212c 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -54,15 +54,16 @@ interface(`gpg_role',`
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ allow gpg_pinentry_t $2:fifo_file { read write };
+
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
ifdef(`hide_broken_symptoms',`
#Leaked File Descriptors
- dontaudit gpg_t $2:socket_class_set { getattr read write };
dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
- dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
')
')
@@ -85,6 +86,43 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
+######################################
+## <summary>
+## Transition to a gpg web domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_domtrans_web',`
+ gen_require(`
+ type gpg_web_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
+')
+
+######################################
+## <summary>
+## Make gpg an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`gpg_entry_type',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ domain_entry_file($1, gpg_exec_t)
+')
+
########################################
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9050e8c..3b10693 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
#
# Declarations
#
+attribute gpgdomain;
## <desc>
## <p>
@@ -13,7 +14,15 @@ policy_module(gpg, 2.4.0)
## </desc>
gen_tunable(gpg_agent_env_file, false)
-type gpg_t;
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@@ -62,17 +71,24 @@ type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
ubac_constrained(gpg_pinentry_tmpfs_t)
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
########################################
#
# GPG local policy
#
-allow gpg_t self:capability { ipc_lock setuid };
-# setrlimit is for ulimit -c 0
-allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket create_stream_socket_perms;
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
@@ -123,11 +139,14 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
-userdom_use_user_terminals(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
# sign/encrypt user files
-userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
+userdom_manage_user_home_content_dirs(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_stream_connect(gpg_t)
mta_write_config(gpg_t)
@@ -142,6 +161,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_read_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
+')
+
+optional_policy(`
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
@@ -151,10 +175,10 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
-optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
-')
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
########################################
#
@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
@@ -239,19 +264,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
-userdom_use_user_terminals(gpg_agent_t)
+userdom_use_inherited_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')
tunable_policy(`gpg_agent_env_file',`
# write ~/.gpg-agent-info or a similar to the users home dir
# or subdir (gpg-agent --write-env-file option)
#
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
@@ -332,6 +358,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
+userdom_use_user_terminals(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
@@ -342,11 +372,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_read_home_config(gpg_pinentry_t)
+')
+
+optional_policy(`
dbus_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
+ gnome_write_generic_cache_files(gpg_pinentry_t)
+ gnome_read_generic_cache_files(gpg_pinentry_t)
+ gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
@@ -356,4 +396,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+files_read_usr_files(gpg_web_t)
+
+miscfiles_read_localization(gpg_web_t)
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..6bfdfd3 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -2,10 +2,14 @@
# /home
#
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
+
+/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
#
# /usr
#
/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..8dc8a5f 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,9 +18,11 @@
interface(`irc_role',`
gen_require(`
type irc_t, irc_exec_t;
+ type irssi_t, irssi_exec_t, irssi_home_t;
')
role $1 types irc_t;
+ role $1 types irssi_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, irc_exec_t, irc_t)
@@ -28,4 +30,17 @@ interface(`irc_role',`
# allow ps to show irc
ps_process_pattern($2, irc_t)
allow $2 irc_t:process signal;
+
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+ allow $2 irssi_t:process { ptrace signal_perms };
+ ps_process_pattern($2, irssi_t)
+
+ manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
+ manage_files_pattern($2, irssi_home_t, irssi_home_t)
+ manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
+
+ relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
+ relabel_files_pattern($2, irssi_home_t, irssi_home_t)
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..b69a628 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
########################################
#
+# Irssi personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t;
+userdom_user_home_content(irssi_home_t)
+
+########################################
+#
# Local policy
#
@@ -84,7 +108,7 @@ seutil_use_newrole_fds(irc_t)
sysnet_read_config(irc_t)
# Write to the user domain tty.
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
nis_use_ypbind(irc_t)
')
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irssi_t)
+
+kernel_read_system_state(irssi_t)
+
+corecmd_search_bin(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# tcp:7000 is often used for SSL irc
+corenet_tcp_connect_gatekeeper_port(irssi_t)
+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_tcp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+files_read_usr_files(irssi_t)
+
+fs_search_auto_mountpoints(irssi_t)
+
+auth_use_nsswitch(irssi_t)
+
+miscfiles_read_localization(irssi_t)
+
+userdom_use_inherited_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
+ corenet_tcp_connect_all_ports(irssi_t)
+ corenet_sendrecv_generic_server_packets(irssi_t)
+ corenet_sendrecv_all_client_packets(irssi_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_manage_nfs_dirs(irssi_t)
+ fs_manage_nfs_files(irssi_t)
+ fs_manage_nfs_symlinks(irssi_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_manage_cifs_dirs(irssi_t)
+ fs_manage_cifs_files(irssi_t)
+ fs_manage_cifs_symlinks(irssi_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
+')
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index 86c1768..5d2130c 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -5,10 +5,13 @@
/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#
+/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -27,12 +30,14 @@
/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
ifdef(`distro_redhat',`
/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index e6d84e8..7c398c0 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -72,7 +72,8 @@ template(`java_role_template',`
domain_interactive_fd($1_java_t)
- userdom_manage_user_tmpfs_files($1_java_t)
+ userdom_unpriv_usertype($1, $1_java_t)
+ userdom_manage_tmpfs_role($2, $1_java_t)
allow $1_java_t self:process { ptrace signal getsched execmem execstack };
@@ -82,7 +83,7 @@ template(`java_role_template',`
domtrans_pattern($3, java_exec_t, $1_java_t)
- corecmd_bin_domtrans($1_java_t, $3)
+ corecmd_bin_domtrans($1_java_t, $1_t)
dev_dontaudit_append_rand($1_java_t)
@@ -105,7 +106,7 @@ template(`java_role_template',`
## </summary>
## </param>
#
-template(`java_domtrans',`
+interface(`java_domtrans',`
gen_require(`
type java_t, java_exec_t;
')
@@ -179,6 +180,10 @@ interface(`java_run_unconfined',`
java_domtrans_unconfined($1)
role $2 types unconfined_java_t;
+
+ optional_policy(`
+ nsplugin_role_notrans($2, unconfined_java_t)
+ ')
')
########################################
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 167950d..27d37b0 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -82,18 +82,20 @@ dev_read_urand(java_t)
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
+files_read_etc_files(java_t)
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
files_read_etc_runtime_files(java_t)
# Read global fonts and font config
-files_read_etc_files(java_t)
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
logging_send_syslog_msg(java_t)
+auth_use_nsswitch(java_t)
+
miscfiles_read_localization(java_t)
# Read global fonts and font config
miscfiles_read_fonts(java_t)
@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',`
')
optional_policy(`
- nis_use_ypbind(java_t)
-')
-
-optional_policy(`
- nscd_socket_use(java_t)
-')
-
-optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
@@ -143,14 +137,21 @@ optional_policy(`
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
+ init_dbus_chat_script(unconfined_java_t)
+
files_execmod_all_files(unconfined_java_t)
init_dbus_chat_script(unconfined_java_t)
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
+ userdom_unpriv_usertype(unconfined, unconfined_java_t)
optional_policy(`
rpm_domtrans(unconfined_java_t)
')
+
+ optional_policy(`
+ wine_domtrans(unconfined_java_t)
+ ')
')
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
index 0000000..25e4b68
--- /dev/null
+++ b/policy/modules/apps/kde.fc
@@ -0,0 +1 @@
+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
diff --git a/policy/modules/apps/kde.if b/policy/modules/apps/kde.if
new file mode 100644
index 0000000..cf65577
--- /dev/null
+++ b/policy/modules/apps/kde.if
@@ -0,0 +1,22 @@
+## <summary> Policy for KDE components </summary>
+
+#######################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kde_dbus_chat_backlighthelper',`
+ gen_require(`
+ type kdebacklighthelper_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdebacklighthelper_t:dbus send_msg;
+ allow kdebacklighthelper_t $1:dbus send_msg;
+')
diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
new file mode 100644
index 0000000..6d0c9e3
--- /dev/null
+++ b/policy/modules/apps/kde.te
@@ -0,0 +1,43 @@
+policy_module(kde,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
+# backlighthelper local policy
+#
+
+dontaudit kdebacklighthelper_t self:capability sys_ptrace;
+
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
+
+# r/w brightness values
+dev_rw_sysfs(kdebacklighthelper_t)
+
+files_read_etc_files(kdebacklighthelper_t)
+files_read_etc_runtime_files(kdebacklighthelper_t)
+files_read_usr_files(kdebacklighthelper_t)
+
+fs_getattr_all_fs(kdebacklighthelper_t)
+
+logging_send_syslog_msg(kdebacklighthelper_t)
+
+miscfiles_read_localization(kdebacklighthelper_t)
+
+optional_policy(`
+ consolekit_dbus_chat(kdebacklighthelper_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdebacklighthelper_t)
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
index 2dde73a..8ebd16b 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
+fs_read_dos_files(kdumpgui_t)
+
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+optional_policy(`
+ consoletype_exec(kdumpgui_t)
+')
+
optional_policy(`
consoletype_exec(kdumpgui_t)
')
@@ -58,6 +66,7 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
+ kdump_systemctl(kdumpgui_t)
')
optional_policy(`
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
index b2e27ec..c324f94 100644
--- a/policy/modules/apps/livecd.if
+++ b/policy/modules/apps/livecd.if
@@ -37,10 +37,14 @@ interface(`livecd_domtrans',`
interface(`livecd_run',`
gen_require(`
type livecd_t;
+ type livecd_exec_t;
')
livecd_domtrans($1)
role $2 types livecd_t;
+ role_transition $2 livecd_exec_t system_r;
+
+ seutil_run_setfiles_mac(livecd_t, system_r)
optional_policy(`
mount_run(livecd_t, $2)
@@ -49,6 +53,24 @@ interface(`livecd_run',`
########################################
## <summary>
+## Dontaudit read/write to a livecd leaks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`livecd_dontaudit_leaks',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
## Read livecd temporary files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
index a0be4ef..9fcc9df 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
@@ -21,15 +21,32 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
domain_ptrace_all_domains(livecd_t)
+domain_interactive_fd(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+dev_filetrans_all_named_dev(livecd_t)
+storage_filetrans_all_named_dev(livecd_t)
+term_filetrans_all_named_dev(livecd_t)
+
+sysnet_filetrans_named_content(livecd_t)
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(livecd_t)
+')
+
optional_policy(`
- unconfined_domain(livecd_t)
+ unconfined_domain_noaudit(livecd_t)
')
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
+optional_policy(`
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(livecd_t)
+ rpm_domtrans(livecd_t)
+')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index b55edd0..7b8d952 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -17,10 +17,6 @@ interface(`loadkeys_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
-
- ifdef(`hide_broken_symptoms',`
- dontaudit loadkeys_t $1:socket_class_set { read write };
- ')
')
########################################
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 2523758..50629a8 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -38,7 +38,7 @@ locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
@@ -46,5 +46,9 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ keyboardd_read_pipes(loadkeys_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
index 0bac996..ca2388d 100644
--- a/policy/modules/apps/lockdev.te
+++ b/policy/modules/apps/lockdev.te
@@ -35,5 +35,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 7b08e13..1fa8573 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -41,7 +41,6 @@ template(`mono_role_template',`
application_type($1_mono_t)
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
-
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
@@ -49,7 +48,8 @@ template(`mono_role_template',`
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
- userdom_manage_user_tmpfs_files($1_mono_t)
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
optional_policy(`
xserver_role($1_r, $1_mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 93ac529..35b51ab 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -18,12 +19,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /lib
#
-/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index fbb5c5a..83fc139 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
allow mozilla_t $2:process { sigchld signull };
allow mozilla_t $2:unix_stream_socket connectto;
+ mozilla_run_plugin(mozilla_t, $1)
+
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
allow $2 mozilla_t:process signal_perms;
@@ -49,8 +51,16 @@ interface(`mozilla_role',`
mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
+ userdom_manage_tmp_role($1, mozilla_t)
+
+ optional_policy(`
+ nsplugin_role($1, mozilla_t)
+ ')
+
optional_policy(`
pulseaudio_role($1, mozilla_t)
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
+ pulseaudio_filetrans_home_content(mozilla_t)
')
')
@@ -109,7 +119,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
- dontaudit $1 mozilla_home_t:file rw_file_perms;
+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
')
########################################
@@ -203,6 +213,15 @@ interface(`mozilla_domtrans_plugin',`
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
allow mozilla_plugin_t $1:process signull;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+ allow mozilla_plugin_t $1:shm rw_shm_perms;
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process { ptrace signal_perms };
')
########################################
@@ -230,6 +249,25 @@ interface(`mozilla_run_plugin',`
role $2 types mozilla_plugin_t;
')
+#######################################
+## <summary>
+## Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the mozilla_plugin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ role $1 types mozilla_plugin_t;
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -269,9 +307,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
+#######################################
+## <summary>
+## Read mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
########################################
## <summary>
-## Read mozilla_plugin tmpfs files
+## Delete mozilla_plugin tmpfs files
## </summary>
## <param name="domain">
## <summary>
@@ -279,28 +335,28 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
-interface(`mozilla_plugin_read_tmpfs_files',`
+interface(`mozilla_plugin_delete_tmpfs_files',`
gen_require(`
type mozilla_plugin_tmpfs_t;
')
- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
')
########################################
## <summary>
-## Delete mozilla_plugin tmpfs files
+## Dontaudit read/write to a mozilla_plugin leaks
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
')
- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 2e9318b..d1b1280 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
@@ -33,10 +34,12 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
files_tmp_file(mozilla_plugin_tmp_t)
ubac_constrained(mozilla_plugin_tmp_t)
type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)
@@ -111,7 +114,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
@@ -156,6 +161,8 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
+auth_use_nsswitch(mozilla_t)
+
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -165,7 +172,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -262,6 +269,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
')
optional_policy(`
@@ -278,7 +286,8 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(mozilla_t)
+ nsplugin_manage_rw(mozilla_t)
+ nsplugin_manage_home_files(mozilla_t)
')
optional_policy(`
@@ -297,15 +306,18 @@ optional_policy(`
#
dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
-allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
@@ -313,8 +325,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
@@ -344,6 +356,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
@@ -385,13 +400,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
userdom_manage_user_tmp_sockets(mozilla_plugin_t)
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
userdom_read_user_tmp_files(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
+
userdom_read_user_home_content_files(mozilla_plugin_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_dontaudit_write_home_certs(mozilla_plugin_t)
tunable_policy(`allow_execmem',`
allow mozilla_plugin_t self:process { execmem execstack };
@@ -425,7 +446,13 @@ optional_policy(`
')
optional_policy(`
+ git_dontaudit_read_session_content_files(mozilla_plugin_t)
+')
+
+
+optional_policy(`
gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
')
optional_policy(`
@@ -438,7 +465,14 @@ optional_policy(`
')
optional_policy(`
- pcscd_stream_connect(mozilla_plugin_t)
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_dirs(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t)
+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
+ nsplugin_user_home_filetrans(mozilla_plugin_t, file)
+ nsplugin_read_rw_files(mozilla_plugin_t);
+ nsplugin_signal(mozilla_plugin_t)
')
optional_policy(`
@@ -446,10 +480,27 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
+')
+
+optional_policy(`
+ udev_read_db(mozilla_plugin_t)
')
optional_policy(`
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
')
+
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -102,3 +102,39 @@ interface(`mplayer_read_user_home_files',`
read_files_pattern($1, mplayer_home_t, mplayer_home_t)
userdom_search_user_home_dirs($1)
')
+
+########################################
+## <summary>
+## Execute mplayer_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a mplayer_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`mplayer_exec_domtrans',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ allow $2 mplayer_exec_t:file entrypoint;
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 072a210..16ce654 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
type mplayer_home_t;
typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+files_poly_member(mplayer_home_t)
userdom_user_home_content(mplayer_home_t)
type mplayer_tmpfs_t;
@@ -76,7 +77,7 @@ storage_raw_read_removable_device(mencoder_t)
miscfiles_read_localization(mencoder_t)
-userdom_use_user_terminals(mencoder_t)
+userdom_use_inherited_user_terminals(mencoder_t)
# Handle removable media, /tmp, and /home
userdom_list_user_tmp(mencoder_t)
userdom_read_user_tmp_files(mencoder_t)
@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+userdom_search_user_home_dirs(mplayer_t)
manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
fs_list_inotifyfs(mplayer_t)
+auth_use_nsswitch(mplayer_t)
+
+logging_send_syslog_msg(mplayer_t)
+
miscfiles_read_localization(mplayer_t)
miscfiles_read_fonts(mplayer_t)
-userdom_use_user_terminals(mplayer_t)
+userdom_use_inherited_user_terminals(mplayer_t)
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
@@ -305,7 +311,7 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(mplayer_t)
+ gnome_setattr_config_dirs(mplayer_t)
')
optional_policy(`
diff --git a/policy/modules/apps/namespace.fc b/policy/modules/apps/namespace.fc
new file mode 100644
index 0000000..ce51c8d
--- /dev/null
+++ b/policy/modules/apps/namespace.fc
@@ -0,0 +1,3 @@
+
+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
+
diff --git a/policy/modules/apps/namespace.if b/policy/modules/apps/namespace.if
new file mode 100644
index 0000000..8d7c751
--- /dev/null
+++ b/policy/modules/apps/namespace.if
@@ -0,0 +1,48 @@
+
+## <summary>policy for namespace</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run namespace_init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`namespace_init_domtrans',`
+ gen_require(`
+ type namespace_init_t, namespace_init_exec_t;
+ ')
+
+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
+')
+
+
+########################################
+## <summary>
+## Execute namespace_init in the namespace_init domain, and
+## allow the specified role the namespace_init domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the namespace_init domain.
+## </summary>
+## </param>
+#
+interface(`namespace_init_run',`
+ gen_require(`
+ type namespace_init_t;
+ ')
+
+ namespace_init_domtrans($1)
+ role $2 types namespace_init_t;
+
+ seutil_run_setfiles(namespace_init_t, $2)
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
index 0000000..bb6b61e
--- /dev/null
+++ b/policy/modules/apps/namespace.te
@@ -0,0 +1,38 @@
+policy_module(namespace,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type namespace_init_t;
+type namespace_init_exec_t;
+init_system_domain(namespace_init_t, namespace_init_exec_t)
+role system_r types namespace_init_t;
+
+########################################
+#
+# namespace_init local policy
+#
+
+allow namespace_init_t self:capability dac_override;
+
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
+
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
+
+auth_use_nsswitch(namespace_init_t)
+
+miscfiles_read_localization(namespace_init_t)
+
+userdom_manage_user_home_content_dirs(namespace_init_t)
+userdom_manage_user_home_content_files(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
new file mode 100644
index 0000000..22e6c96
--- /dev/null
+++ b/policy/modules/apps/nsplugin.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
index 0000000..1925bd9
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
@@ -0,0 +1,472 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
+ class dbus send_msg;
+ ')
+
+ role $1 types nsplugin_t;
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
+ dontaudit nsplugin_t $2:shm destroy;
+ allow $2 nsplugin_t:sem rw_sem_perms;
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmpfs_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Role access for nsplugin
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_role_notrans($1, $2)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+## <summary>
+## Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Read nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_home',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## manage nnsplugin home dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_dirs',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## nsplugin named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_pipes',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to nsplugin shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_shm',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+## <summary>
+## Allow read and write access to nsplugin semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_semaphores',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Execute nsplugin_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a nsplugin_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`nsplugin_exec_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ ')
+
+ allow $2 nsplugin_exec_t:file entrypoint;
+ domtrans_pattern($1, nsplugin_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Send generic signals to user nsplugin processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_signal',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signal;
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`nsplugin_user_home_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
+
+########################################
+## <summary>
+## Send signull signal to nsplugin
+## processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_signull',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signull;
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
index 0000000..9bf1dd8
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,338 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+application_domain(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_urand(nsplugin_t)
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_getattr_mouse_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_read_sysfs(nsplugin_t)
+dev_dontaudit_getattr_all(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+kernel_read_network_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ chrome_dontaudit_sandbox_leaks(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(nsplugin_t)
+ dbus_connect_session_bus(nsplugin_t)
+ dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(nsplugin_t)
+')
+
+optional_policy(`
+ mozilla_exec_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ pulseaudio_filetrans_admin_home_content(nsplugin_t)
+ pulseaudio_filetrans_home_content(nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+')
+
+optional_policy(`
+ sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
+ xserver_use_user_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+domain_use_interactive_fds(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_manage_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_manage_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_config_t)
+ mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+ devicekit_dbus_chat_power(nsplugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(nsplugin_t)
+ pulseaudio_stream_connect(nsplugin_t)
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_exec(nsplugin_t)
+')
diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
new file mode 100644
index 0000000..4428be4
--- /dev/null
+++ b/policy/modules/apps/openoffice.fc
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
new file mode 100644
index 0000000..d1d471e
--- /dev/null
+++ b/policy/modules/apps/openoffice.if
@@ -0,0 +1,124 @@
+## <summary>Openoffice</summary>
+
+#######################################
+## <summary>
+## The per role template for the openoffice module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`openoffice_plugin_role',`
+ gen_require(`
+ type openoffice_exec_t;
+ type openoffice_t;
+ ')
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($1, openoffice_exec_t, openoffice_t)
+ allow $1 openoffice_t:process { signal sigkill };
+')
+
+#######################################
+## <summary>
+## role for openoffice
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`openoffice_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ role $2 types $1_openoffice_t;
+
+ type $1_openoffice_t;
+ domain_type($1_openoffice_t)
+ domain_entry_file($1_openoffice_t, openoffice_exec_t)
+ domain_interactive_fd($1_openoffice_t)
+
+ userdom_unpriv_usertype($1, $1_openoffice_t)
+ userdom_exec_user_home_content_files($1_openoffice_t)
+
+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+ allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $1_openoffice_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
+
+ dev_read_urand($1_openoffice_t)
+ dev_read_rand($1_openoffice_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+
+ allow $3 $1_openoffice_t:process { signal sigkill };
+ allow $1_openoffice_t $3:unix_stream_socket connectto;
+
+ optional_policy(`
+ xserver_role($2, $1_openoffice_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute openoffice_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a openoffice_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`openoffice_exec_domtrans',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ allow $2 openoffice_exec_t:file entrypoint;
+ domtrans_pattern($1, openoffice_exec_t, $2)
+')
diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
new file mode 100644
index 0000000..a842371
--- /dev/null
+++ b/policy/modules/apps/openoffice.te
@@ -0,0 +1,16 @@
+policy_module(openoffice, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
+
+########################################
+#
+# Unconfined java local policy
+#
+
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 84f23dc..af5b87d 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
@@ -1,6 +1,9 @@
-HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index f40c64d..9a5e99c 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
+ userdom_manage_home_role($1, pulseaudio_t)
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
+
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
@@ -258,3 +262,63 @@ interface(`pulseaudio_manage_home_files',`
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
+
+########################################
+## <summary>
+## Create, read, write, and delete pulseaudio
+## home directory symlinks.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_home_symlinks',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Create pulseaudio content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_filetrans_home_content',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+')
+
+########################################
+## <summary>
+## Create pulseaudio content in the admin home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_filetrans_admin_home_content',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index d1eace5..8522ab4 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -85,8 +86,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
+term_use_all_inherited_ttys(pulseaudio_t)
+term_use_all_inherited_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
@@ -94,10 +95,9 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
-# cjp: this seems excessive. need to confirm
-userdom_manage_user_home_content_files(pulseaudio_t)
-userdom_manage_user_tmp_files(pulseaudio_t)
-userdom_manage_user_tmpfs_files(pulseaudio_t)
+optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
@@ -127,10 +127,24 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_gkeyringd_state(pulseaudio_t)
+ gnome_signull_gkeyringd(pulseaudio_t)
+')
+
+optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
optional_policy(`
+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
+optional_policy(`
+ mpd_read_tmpfs_files(pulseaudio_t)
+')
+
+optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
@@ -148,3 +162,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
+
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 268d691..da3a26d 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -76,7 +76,7 @@ template(`qemu_domain_template',`
sysnet_read_config($1_t)
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
@@ -98,61 +98,40 @@ template(`qemu_domain_template',`
')
')
-#######################################
+########################################
## <summary>
-## The per role template for the qemu module.
+## Execute a domain transition to run qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for qemu web browser.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
## </param>
#
-template(`qemu_role',`
+interface(`qemu_domtrans',`
gen_require(`
type qemu_t, qemu_exec_t;
- type qemu_config_t, qemu_config_exec_t;
')
- role $1 types { qemu_t qemu_config_t };
-
- domtrans_pattern($2, qemu_exec_t, qemu_t)
- domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
- allow qemu_t $2:process signull;
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
')
########################################
## <summary>
-## Execute a domain transition to run qemu.
+## Execute a qemu in the callers domain
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`qemu_domtrans',`
+interface(`qemu_exec',`
gen_require(`
- type qemu_t, qemu_exec_t;
+ type qemu_exec_t;
')
- domtrans_pattern($1, qemu_exec_t, qemu_t)
+ can_exec($1, qemu_exec_t)
')
########################################
@@ -256,20 +235,63 @@ interface(`qemu_kill',`
########################################
## <summary>
-## Execute a domain transition to run qemu unconfined.
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
## </summary>
+## <desc>
+## <p>
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`qemu_spec_domtrans',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+ domain_entry_file($2,qemu_exec_t)
+ can_exec($1,qemu_exec_t)
+
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
+')
+
+########################################
## <summary>
-## Domain allowed to transition.
+## Execute qemu unconfined programs in the role.
## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the qemu unconfined domain.
+## </summary>
## </param>
#
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_unconfined_role',`
gen_require(`
- type unconfined_qemu_t, qemu_exec_t;
+ type unconfined_qemu_t;
+ type qemu_t;
')
-
- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
')
########################################
@@ -307,3 +329,22 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
+
+########################################
+## <summary>
+## Make qemu_exec_t an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which qemu_exec_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`qemu_entry_type',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ domain_entry_file($1, qemu_exec_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 1813e16..83f68f0 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
+userdom_stream_connect(qemu_t)
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
@@ -99,6 +100,18 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`qemu_use_cifs',`
+ samba_domtrans_smbd(qemu_t)
+ ')
+')
+
+optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_home_files(qemu_t)
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
@@ -111,18 +124,3 @@ optional_policy(`
xserver_read_xdm_pid(qemu_t)
xserver_stream_connect(qemu_t)
')
-
-########################################
-#
-# Unconfined qemu local policy
-#
-
-optional_policy(`
- type unconfined_qemu_t;
- typealias unconfined_qemu_t alias qemu_unconfined_t;
- application_type(unconfined_qemu_t)
- unconfined_domain(unconfined_qemu_t)
-
- allow unconfined_qemu_t self:process { execstack execmem };
- allow unconfined_qemu_t qemu_exec_t:file execmod;
-')
diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc
index 4c091ca..a58f123 100644
--- a/policy/modules/apps/rssh.fc
+++ b/policy/modules/apps/rssh.fc
@@ -1 +1,3 @@
/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
index f594e12..c4ee834 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
+files_read_usr_files(sambagui_t)
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
files_read_usr_files(sambagui_t)
@@ -56,6 +57,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
+ samba_systemctl(sambagui_t)
samba_domtrans_smbd(sambagui_t)
samba_domtrans_nmbd(sambagui_t)
')
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644
index 0000000..6caef63
--- /dev/null
+++ b/policy/modules/apps/sandbox.fc
@@ -0,0 +1,2 @@
+
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
index 0000000..809784d
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
@@ -0,0 +1,364 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`sandbox_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
+ type sandbox_file_t;
+ attribute sandbox_domain;
+ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
+ dontaudit sandbox_domain $1:process signal;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+ can_exec($1, sandbox_file_t)
+ allow $1 sandbox_file_t:filesystem getattr;
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## sandbox process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_domain_template',`
+
+ gen_require(`
+ attribute sandbox_domain;
+ type sandbox_file_t;
+ attribute sandbox_type;
+ ')
+ type $1_t, sandbox_domain, sandbox_type;
+
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## sandbox process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ type sandbox_exec_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ ')
+
+ type $1_t, sandbox_x_domain, sandbox_type;
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
+ mcs_untrusted_proc($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ dontaudit $1_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+ domain_entry_file($1_client_t, sandbox_exec_t)
+
+ # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t)
+
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
+
+ fs_get_xattr_fs_quotas($1_client_t)
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write sandbox_xserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+ gen_require(`
+ type sandbox_xserver_tmpfs_t;
+ ')
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to read
+## sandbox tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_read_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to manage
+## sandbox tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_manage_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Delete sandbox symbolic links
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_lnk_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Delete sandbox fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_pipes',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Delete sandbox sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Allow domain to set the attributes
+## of the sandbox directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Delete sandbox directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## allow domain to list sandbox dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_list',`
+ gen_require(`
+ type sandbox_file_t;
+ ')
+
+ allow $1 sandbox_file_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write a sandbox domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sandbox_use_ptys',`
+ gen_require(`
+ type sandbox_devpts_t;
+ ')
+
+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
index 0000000..e9d2bc3
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,484 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
+attribute sandbox_web_type;
+attribute sandbox_file_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_type;
+
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
+type sandbox_file_t, sandbox_file_type;
+files_type(sandbox_file_t)
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
+
+########################################
+#
+# Declarations
+#
+
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+kernel_read_system_state(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_read_sysfs(sandbox_xserver_t)
+dev_rwx_zero(sandbox_xserver_t)
+dev_read_urand(sandbox_xserver_t)
+
+domain_use_interactive_fds(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
+
+########################################
+#
+# sandbox local policy
+#
+
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
+can_exec(sandbox_domain, sandbox_file_t)
+allow sandbox_domain sandbox_file_t:filesystem getattr;
+manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_domain sandbox_file_t:dir mounton;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ type var_t, var_run_t, rpm_log_t, locale_t;
+ attribute exec_type, configfile;
+')
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+
+corecmd_exec_all_executables(sandbox_domain)
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
+files_read_config_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
+
+can_exec(sandbox_x_domain, sandbox_file_t)
+allow sandbox_x_domain sandbox_file_t:filesystem getattr;
+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+libs_dontaudit_setattr_lib_files(sandbox_x_domain)
+
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
+
+selinux_get_fs_mount(sandbox_x_domain)
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
+selinux_compute_create_context(sandbox_x_domain)
+selinux_compute_relabel_context(sandbox_x_domain)
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
+
+application_dontaudit_signal(sandbox_x_domain)
+application_dontaudit_sigkill(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
+ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
+')
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+optional_policy(`
+ udev_read_db(sandbox_x_domain)
+')
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(sandbox_x_domain)
+ fs_search_nfs(sandbox_xserver_t)
+ fs_read_nfs_files(sandbox_xserver_t)
+ fs_manage_nfs_dirs(sandbox_x_domain)
+ fs_manage_nfs_files(sandbox_x_domain)
+ fs_exec_nfs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(sandbox_xserver_t)
+ fs_read_cifs_files(sandbox_xserver_t)
+ fs_manage_cifs_dirs(sandbox_x_domain)
+ fs_manage_cifs_files(sandbox_x_domain)
+ fs_exec_cifs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(sandbox_xserver_t)
+ fs_read_fusefs_files(sandbox_xserver_t)
+ fs_manage_fusefs_dirs(sandbox_x_domain)
+ fs_manage_fusefs_files(sandbox_x_domain)
+ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
+corenet_tcp_sendrecv_generic_if(sandbox_web_type)
+corenet_raw_sendrecv_generic_if(sandbox_web_type)
+corenet_tcp_sendrecv_generic_node(sandbox_web_type)
+corenet_raw_sendrecv_generic_node(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_get_fs_mount(sandbox_web_type)
+selinux_validate_context(sandbox_web_type)
+selinux_compute_access_vector(sandbox_web_type)
+selinux_compute_create_context(sandbox_web_type)
+selinux_compute_relabel_context(sandbox_web_type)
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmpfs_files(sandbox_web_type)
+userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
+ alsa_read_rw_config(sandbox_web_type)
+')
+
+optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ chrome_domtrans_sandbox(sandbox_web_type)
+')
+
+optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sandbox_web_type)
+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index c8254dd..340a2d7 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -3,13 +3,18 @@
#
HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+
+/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
#
# /usr
#
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
#
# /var
#
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index a57e81e..f9fbc60 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -25,6 +25,7 @@ template(`screen_role_template',`
gen_require(`
type screen_exec_t, screen_tmp_t;
type screen_home_t, screen_var_run_t;
+ attribute screen_domain;
')
########################################
@@ -32,51 +33,18 @@ template(`screen_role_template',`
# Declarations
#
- type $1_screen_t;
+ type $1_screen_t, screen_domain;
application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
ubac_constrained($1_screen_t)
role $2 types $1_screen_t;
- ########################################
- #
- # Local policy
- #
-
- allow $1_screen_t self:capability { setuid setgid fsetid };
- allow $1_screen_t self:process signal_perms;
- allow $1_screen_t self:fifo_file rw_fifo_file_perms;
- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
- allow $1_screen_t self:udp_socket create_socket_perms;
- # Internal screen networking
- allow $1_screen_t self:fd use;
- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-
- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
-
- # Create fifo
- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
-
- allow $1_screen_t screen_home_t:dir list_dir_perms;
- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-
- allow $1_screen_t $3:process signal;
-
domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+ allow $1_screen_t $3:unix_stream_socket { connectto };
allow $1_screen_t $3:process signal;
+ ps_process_pattern($1_screen_t, $3)
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
@@ -87,77 +55,22 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
- kernel_read_system_state($1_screen_t)
- kernel_read_kernel_sysctls($1_screen_t)
-
- corecmd_list_bin($1_screen_t)
- corecmd_read_bin_files($1_screen_t)
- corecmd_read_bin_symlinks($1_screen_t)
- corecmd_read_bin_pipes($1_screen_t)
- corecmd_read_bin_sockets($1_screen_t)
# Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t, $3)
corecmd_bin_domtrans($1_screen_t, $3)
- corenet_all_recvfrom_unlabeled($1_screen_t)
- corenet_all_recvfrom_netlabel($1_screen_t)
- corenet_tcp_sendrecv_generic_if($1_screen_t)
- corenet_udp_sendrecv_generic_if($1_screen_t)
- corenet_tcp_sendrecv_generic_node($1_screen_t)
- corenet_udp_sendrecv_generic_node($1_screen_t)
- corenet_tcp_sendrecv_all_ports($1_screen_t)
- corenet_udp_sendrecv_all_ports($1_screen_t)
- corenet_tcp_connect_all_ports($1_screen_t)
-
- dev_dontaudit_getattr_all_chr_files($1_screen_t)
- dev_dontaudit_getattr_all_blk_files($1_screen_t)
- # for SSP
- dev_read_urand($1_screen_t)
-
- domain_use_interactive_fds($1_screen_t)
-
- files_search_tmp($1_screen_t)
- files_search_home($1_screen_t)
- files_list_home($1_screen_t)
- files_read_usr_files($1_screen_t)
- files_read_etc_files($1_screen_t)
-
- fs_search_auto_mountpoints($1_screen_t)
- fs_getattr_xattr_fs($1_screen_t)
-
auth_domtrans_chk_passwd($1_screen_t)
auth_use_nsswitch($1_screen_t)
- auth_dontaudit_read_shadow($1_screen_t)
- auth_dontaudit_exec_utempter($1_screen_t)
-
- # Write to utmp.
- init_rw_utmp($1_screen_t)
-
- logging_send_syslog_msg($1_screen_t)
-
- miscfiles_read_localization($1_screen_t)
-
- seutil_read_config($1_screen_t)
- userdom_use_user_terminals($1_screen_t)
- userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
- userdom_setattr_user_ptys($1_screen_t)
- userdom_setattr_user_ttys($1_screen_t)
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
- fs_read_cifs_symlinks($1_screen_t)
- fs_list_cifs($1_screen_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_nfs_domtrans($1_screen_t, $3)
- fs_list_nfs($1_screen_t)
- fs_read_nfs_symlinks($1_screen_t)
')
')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 553bc73..b3b144c 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -5,6 +5,8 @@ policy_module(screen, 2.3.1)
# Declarations
#
+attribute screen_domain;
+
type screen_exec_t;
application_executable_file(screen_exec_t)
@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
files_pid_file(screen_var_run_t)
ubac_constrained(screen_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow screen_domain self:capability { setuid setgid fsetid };
+allow screen_domain self:process signal_perms;
+allow screen_domain self:fifo_file rw_fifo_file_perms;
+allow screen_domain self:tcp_socket create_stream_socket_perms;
+allow screen_domain self:udp_socket create_socket_perms;
+# Internal screen networking
+allow screen_domain self:fd use;
+allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
+allow screen_domain self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+
+# Create fifo
+manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
+manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
+manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
+files_pid_filetrans(screen_domain, screen_var_run_t, dir)
+
+allow screen_domain screen_home_t:dir list_dir_perms;
+manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
+manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
+read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
+
+kernel_read_system_state(screen_domain)
+kernel_read_kernel_sysctls(screen_domain)
+
+corecmd_list_bin(screen_domain)
+corecmd_read_bin_files(screen_domain)
+corecmd_read_bin_symlinks(screen_domain)
+corecmd_read_bin_pipes(screen_domain)
+corecmd_read_bin_sockets(screen_domain)
+
+corenet_all_recvfrom_unlabeled(screen_domain)
+corenet_all_recvfrom_netlabel(screen_domain)
+corenet_tcp_sendrecv_generic_if(screen_domain)
+corenet_udp_sendrecv_generic_if(screen_domain)
+corenet_tcp_sendrecv_generic_node(screen_domain)
+corenet_udp_sendrecv_generic_node(screen_domain)
+corenet_tcp_sendrecv_all_ports(screen_domain)
+corenet_udp_sendrecv_all_ports(screen_domain)
+corenet_tcp_connect_all_ports(screen_domain)
+
+dev_dontaudit_getattr_all_chr_files(screen_domain)
+dev_dontaudit_getattr_all_blk_files(screen_domain)
+# for SSP
+dev_read_urand(screen_domain)
+
+domain_sigchld_interactive_fds(screen_domain)
+domain_use_interactive_fds(screen_domain)
+domain_read_all_domains_state(screen_domain)
+
+files_search_tmp(screen_domain)
+files_search_home(screen_domain)
+files_list_home(screen_domain)
+files_read_usr_files(screen_domain)
+files_read_etc_files(screen_domain)
+
+fs_search_auto_mountpoints(screen_domain)
+fs_getattr_xattr_fs(screen_domain)
+
+auth_dontaudit_read_shadow(screen_domain)
+auth_dontaudit_exec_utempter(screen_domain)
+
+# Write to utmp.
+init_rw_utmp(screen_domain)
+
+logging_send_syslog_msg(screen_domain)
+
+miscfiles_read_localization(screen_domain)
+
+seutil_read_config(screen_domain)
+
+userdom_use_user_terminals(screen_domain)
+userdom_create_user_pty(screen_domain)
+userdom_setattr_user_ptys(screen_domain)
+userdom_setattr_user_ttys(screen_domain)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_symlinks(screen_domain)
+ fs_list_cifs(screen_domain)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(screen_domain)
+ fs_read_nfs_symlinks(screen_domain)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..a01511f 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
role $2 types seunshare_t;
allow $1 seunshare_t:process signal_perms;
-
- ifdef(`hide_broken_symptoms', `
- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
- ')
')
########################################
## <summary>
-## Role access for seunshare
+## The role template for the seunshare module.
## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
## <param name="role">
## <summary>
## Role allowed access.
@@ -66,15 +66,30 @@ interface(`seunshare_run',`
## </summary>
## </param>
#
-interface(`seunshare_role',`
+interface(`seunshare_role_template',`
gen_require(`
- type seunshare_t;
+ attribute seunshare_domain;
+ type seunshare_exec_t;
')
- role $2 types seunshare_t;
+ type $1_seunshare_t, seunshare_domain;
+ application_domain($1_seunshare_t, seunshare_exec_t)
+ role $2 types $1_seunshare_t;
- seunshare_domtrans($1)
+ auth_use_nsswitch($1_seunshare_t)
+
+ mls_process_set_level($1_seunshare_t)
+
+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
+ sandbox_transition($1_seunshare_t, $2)
+
+ ps_process_pattern($3, $1_seunshare_t)
+ allow $3 $1_seunshare_t:process signal_perms;
+ allow $3 $1_seunshare_t:fd use;
+
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
- ps_process_pattern($2, seunshare_t)
- allow $2 seunshare_t:process signal;
+ corecmd_bin_domtrans($1_seunshare_t, $1_t)
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 7590165..7e6f53c 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
-type seunshare_t;
+attribute seunshare_domain;
type seunshare_exec_t;
-application_domain(seunshare_t, seunshare_exec_t)
-role system_r types seunshare_t;
########################################
#
# seunshare local policy
#
+allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
+allow seunshare_domain self:fifo_file rw_file_perms;
+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+kernel_read_system_state(seunshare_domain)
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
+corecmd_exec_shell(seunshare_domain)
+corecmd_exec_bin(seunshare_domain)
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
+dev_read_urand(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
+files_manage_generic_tmp_dirs(seunshare_domain)
+files_relabelfrom_tmp_dirs(seunshare_domain)
-logging_send_syslog_msg(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
-userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
+userdom_use_inherited_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
+ fs_dontaudit_list_inotifyfs(seunshare_domain)
optional_policy(`
- mozilla_dontaudit_manage_user_home_files(seunshare_t)
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+ mozilla_plugin_dontaudit_leaks(seunshare_domain)
')
')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_mounton_nfs(seunshare_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_mounton_cifs(seunshare_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
index b07ee19..5d12aa3 100644
--- a/policy/modules/apps/telepathy.fc
+++ b/policy/modules/apps/telepathy.fc
@@ -1,8 +1,12 @@
HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
index 3cfb128..d49274d 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -11,9 +11,7 @@
## </summary>
## </param>
#
-#
template(`telepathy_domain_template',`
-
gen_require(`
attribute telepathy_domain;
attribute telepathy_executable;
@@ -23,16 +21,18 @@ template(`telepathy_domain_template',`
type telepathy_$1_exec_t, telepathy_executable;
application_domain(telepathy_$1_t, telepathy_$1_exec_t)
ubac_constrained(telepathy_$1_t)
+ auth_use_nsswitch(telepathy_$1_t)
type telepathy_$1_tmp_t;
files_tmp_file(telepathy_$1_tmp_t)
ubac_constrained(telepathy_$1_tmp_t)
+
')
#######################################
## <summary>
-## Role access for telepathy domains
-### that executes via dbus-session
+## Role access for telepathy domains
+## that executes via dbus-session
## </summary>
## <param name="user_role">
## <summary>
@@ -44,8 +44,13 @@ template(`telepathy_domain_template',`
## The type of the user domain.
## </summary>
## </param>
+## <param name="domain_prefix">
+## <summary>
+## User domain prefix to be used.
+## </summary>
+## </param>
#
-template(`telepathy_role', `
+template(`telepathy_role',`
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
@@ -76,6 +81,8 @@ template(`telepathy_role', `
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+
+ telepathy_dbus_chat($2)
')
########################################
@@ -122,11 +129,6 @@ interface(`telepathy_gabble_dbus_chat', `
## <summary>
## Read telepathy mission control state.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## Prefix to be used.
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -166,7 +168,7 @@ interface(`telepathy_msn_stream_connect', `
## Stream connect to Telepathy Salut
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -179,3 +181,111 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
+
+#######################################
+## <summary>
+## Send DBus messages to and from
+## all Telepathy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_dbus_chat',`
+ gen_require(`
+ attribute telepathy_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_domain:dbus send_msg;
+ allow telepathy_domain $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+## Execute telepathy executable
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`telepathy_command_domtrans', `
+ gen_require(`
+ attribute telepathy_executable;
+ ')
+
+ allow $2 telepathy_executable:file entrypoint;
+ domain_transition_pattern($1, telepathy_executable, $2)
+ type_transition $1 telepathy_executable:process $2;
+
+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
+ optional_policy(`
+ telepathy_dbus_chat($1)
+ telepathy_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Create telepathy content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_filetrans_home_content',`
+ gen_require(`
+ type telepathy_mission_control_cache_home_t;
+ type telepathy_mission_control_home_t;
+ type telepathy_logger_cache_home_t;
+ type telepathy_gabble_cache_home_t;
+ type telepathy_sunshine_home_t;
+ type telepathy_logger_data_home_t;
+ type telepathy_cache_home_t, telepathy_data_home_t;
+ type telepathy_mission_control_data_home_t;
+ ')
+
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+
+ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+
+ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
+ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+
+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
+
+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 2533ea0..58f8728 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
telepathy_domain_template(gabble)
+type telepathy_cache_home_t;
+userdom_user_home_content(telepathy_cache_home_t)
+
type telepathy_gabble_cache_home_t;
userdom_user_home_content(telepathy_gabble_cache_home_t)
telepathy_domain_template(idle)
telepathy_domain_template(logger)
+type telepathy_data_home_t;
+userdom_user_home_content(telepathy_data_home_t)
+
type telepathy_logger_cache_home_t;
userdom_user_home_content(telepathy_logger_cache_home_t)
@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
type telepathy_mission_control_home_t;
userdom_user_home_content(telepathy_mission_control_home_t)
+type telepathy_mission_control_data_home_t;
+userdom_user_home_content(telepathy_mission_control_data_home_t)
+
type telepathy_mission_control_cache_home_t;
userdom_user_home_content(telepathy_mission_control_cache_home_t)
@@ -67,6 +76,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+# ~/.cache/gabble/caps-cache.db-journal
+optional_policy(`
+ manage_dirs_pattern(telepathy_gabble_t, { telepathy_cache_home_t telepathy_gabble_cache_home_t } , { telepathy_cache_home_t telepathy_gabble_cache_home_t })
+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, { dir file })
+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_cache_home_t, dir)
+')
+
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
@@ -112,6 +129,10 @@ optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
+optional_policy(`
+ gnome_manage_home_config(telepathy_gabble_t)
+')
+
#######################################
#
# Telepathy Idle local policy.
@@ -147,10 +168,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+manage_dirs_pattern(telepathy_logger_t, { telepathy_cache_home_t telepathy_logger_cache_home_t }, { telepathy_cache_home_t telepathy_logger_cache_home_t })
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, { dir file })
+gnome_cache_filetrans(telepathy_logger_t, telepathy_cache_home_t, dir)
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
files_read_etc_files(telepathy_logger_t)
files_read_usr_files(telepathy_logger_t)
@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
+optional_policy(`
+ # ~/.config/dconf/user
+ gnome_manage_home_config(telepathy_logger_t)
+')
+
#######################################
#
# Telepathy Mission-Control local policy.
@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
+
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
+gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
dev_read_rand(telepathy_mission_control_t)
@@ -194,6 +230,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
+optional_policy(`
+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
+')
+
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
+
#######################################
#
# Telepathy Butterfly and Haze local policy.
@@ -205,8 +251,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
@@ -246,6 +295,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
+ gnome_read_gconf_home_files(telepathy_msn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
@@ -365,10 +418,9 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
+fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
-auth_use_nsswitch(telepathy_domain)
-
miscfiles_read_localization(telepathy_domain)
optional_policy(`
@@ -376,5 +428,23 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
+')
+
+optional_policy(`
+ telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')
+
+# Just for F15
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ role unconfined_r types telepathy_domain;
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
index 0000000..a4be758
--- /dev/null
+++ b/policy/modules/apps/thumb.fc
@@ -0,0 +1,4 @@
+
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
new file mode 100644
index 0000000..b78aa77
--- /dev/null
+++ b/policy/modules/apps/thumb.if
@@ -0,0 +1,79 @@
+
+## <summary>policy for thumb</summary>
+
+
+########################################
+## <summary>
+## Transition to thumb.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thumb_domtrans',`
+ gen_require(`
+ type thumb_t, thumb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, thumb_exec_t, thumb_t)
+')
+
+
+########################################
+## <summary>
+## Execute thumb in the thumb domain, and
+## allow the specified role the thumb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the thumb domain.
+## </summary>
+## </param>
+#
+interface(`thumb_run',`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ thumb_domtrans($1)
+ role $2 types thumb_t;
+
+ allow $1 thumb_t:process signal;
+')
+
+########################################
+## <summary>
+## Role access for thumb
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`thumb_role',`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ role $1 types thumb_t;
+
+ thumb_domtrans($2)
+
+ ps_process_pattern($2, thumb_t)
+ allow $2 thumb_t:process signal;
+')
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
index 0000000..73e7983
--- /dev/null
+++ b/policy/modules/apps/thumb.te
@@ -0,0 +1,127 @@
+policy_module(thumb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type thumb_t;
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
+ubac_constrained(thumb_t)
+
+role system_r types thumb_t; # why is system_r needed
+
+# this is for liborc: ~/orcexec.*
+# these should normally go to /tmp but it goes to ~ if not executable in /tmp
+# there is also a bug in liborc where it does to ~ by default
+# no longer needed orc fix available
+# type thumb_home_t;
+#userdom_user_home_content(thumb_home_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
+ubac_constrained(thumb_tmp_t)
+
+########################################
+#
+# thumb local policy
+#
+
+# execmem is for totem-video-thumbnailer
+allow thumb_t self:process { setsched signal setrlimit execmem };
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+
+# please reproduce this, because i cannot
+# manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
+# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir)
+
+# for totem-video-thumbnailer
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
+
+# gst-plugin-scanner/liborc, ~/orcexec.*
+# no longer need fix in latest orc package
+# exec_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+# manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+# please reproduce this, because it cannot
+# userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
+
+kernel_read_system_state(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
+# /usr/libexec/gstreamer.*/gst-plugin-scanner
+corecmd_exec_bin(thumb_t)
+
+# gst-plugin-scanner
+dev_read_sysfs(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
+
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
+# totem-video-thumbnailer
+sysnet_read_config(thumb_t)
+
+# read files to be thumbed
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+# .gnome_desktop_thumbnail.* is created by something in the user domain.
+# probably libgnome.
+userdom_write_user_tmp_files(thumb_t)
+
+userdom_use_inherited_user_ptys(thumb_t)
+
+optional_policy(`
+ dbus_dontaudit_session_bus_connect(thumb_t)
+')
+
+# optional_policy(`
+# gnome_read_gconf_home_files(thumb_t)
+# gnome_read_gstreamer_home_content(thumb_t)
+# ')
+
+# please reproduce this, because i cannot
+# optional_policy(`
+# gnome_read_gconf_home_files(thumb_t)
+# ')
+
+# these two are inherited
+# should probably create and call xserver_ra_inherited_xdm_home_files()
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
+# seems to not be needed
+xserver_dontaudit_read_xdm_pid(thumb_t)
+# this is required for totem-video-thumbnailer
+# although thumb does not need to write xserver_tmp_t sock_files
+# we probably want a xserver_connect to support but unix stream socket
+# connections as well tcp connections
+# allow thumb_t xserver_port_t:tcp_socket name_connect;
+xserver_stream_connect(thumb_t)
+
+optional_policy(`
+ # This seems not strictly needed
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
+')
+
+optional_policy(`
+ # this seems to work
+ # thumb_t tries to search data_home_t, config_home_t and gconf_home_t
+ gnome_dontaudit_search_config(thumb_t)
+ # totem-video-thumbnailer
+ gnome_manage_gstreamer_home_files(thumb_t)
+')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -73,7 +73,7 @@ fs_search_auto_mountpoints(tvtime_t)
miscfiles_read_localization(tvtime_t)
miscfiles_read_fonts(tvtime_t)
-userdom_use_user_terminals(tvtime_t)
+userdom_use_inherited_user_terminals(tvtime_t)
userdom_read_user_home_content_files(tvtime_t)
# X access, Home files
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 2df1343..7a11f39 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -134,7 +134,7 @@ seutil_use_newrole_fds(uml_t)
# Use the network.
sysnet_read_config(uml_t)
-userdom_use_user_terminals(uml_t)
+userdom_use_inherited_user_terminals(uml_t)
userdom_attach_admin_tun_iface(uml_t)
optional_policy(`
diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc
index e70b0e8..cd83b89 100644
--- a/policy/modules/apps/userhelper.fc
+++ b/policy/modules/apps/userhelper.fc
@@ -7,3 +7,4 @@
# /usr
#
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index ced285a..8895098 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
gen_require(`
attribute userhelper_type;
type userhelper_exec_t, userhelper_conf_t;
+ class dbus send_msg;
')
########################################
@@ -122,6 +123,9 @@ template(`userhelper_role_template',`
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
+ auth_use_nsswitch($1_userhelper_t)
+
+ logging_send_syslog_msg($1_userhelper_t)
# Inherit descriptors from the current session.
init_use_fds($1_userhelper_t)
@@ -146,18 +150,6 @@ template(`userhelper_role_template',`
')
optional_policy(`
- logging_send_syslog_msg($1_userhelper_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_userhelper_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_userhelper_t)
- ')
-
- optional_policy(`
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
@@ -256,3 +248,69 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
+
+#######################################
+## <summary>
+## The role template for the consolehelper module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for consolehelper applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`userhelper_console_role_template',`
+ gen_require(`
+ type consolehelper_exec_t;
+ attribute consolehelper_domain;
+ class dbus send_msg;
+ ')
+ type $1_consolehelper_t, consolehelper_domain;
+ domain_type($1_consolehelper_t)
+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
+ role $2 types $1_consolehelper_t;
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+ allow $3 $1_consolehelper_t:dbus send_msg;
+ allow $1_consolehelper_t $3:dbus send_msg;
+
+ auth_use_pam($1_consolehelper_t)
+
+ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
+
+ optional_policy(`
+ dbus_connect_session_bus($1_consolehelper_t)
+ ')
+
+ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
+
+ optional_policy(`
+ mock_run($1_consolehelper_t, $2)
+ ')
+
+ optional_policy(`
+ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index 13b2cea..8ce8577 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -6,9 +6,81 @@ policy_module(userhelper, 1.6.0)
#
attribute userhelper_type;
+attribute consolehelper_domain;
type userhelper_conf_t;
files_type(userhelper_conf_t)
type userhelper_exec_t;
application_executable_file(userhelper_exec_t)
+
+type consolehelper_exec_t;
+application_executable_file(consolehelper_exec_t)
+
+########################################
+#
+# consolehelper local policy
+#
+
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid };
+
+allow consolehelper_domain userhelper_conf_t:file audit_access;
+dontaudit consolehelper_domain userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
+
+# Init script handling
+domain_use_interactive_fds(consolehelper_domain)
+
+# internal communication is often done using fifo and unix sockets.
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(consolehelper_domain)
+kernel_read_kernel_sysctls(consolehelper_domain)
+
+corecmd_exec_bin(consolehelper_domain)
+
+dev_getattr_all_chr_files(consolehelper_domain)
+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
+dev_dontaudit_getattr_all(consolehelper_domain)
+fs_getattr_all_dirs(consolehelper_domain)
+
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
+
+term_list_ptys(consolehelper_domain)
+
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
+
+init_read_utmp(consolehelper_domain)
+init_telinit(consolehelper_domain)
+
+miscfiles_read_localization(consolehelper_domain)
+miscfiles_read_fonts(consolehelper_domain)
+
+userhelper_exec(consolehelper_domain)
+
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
+
+optional_policy(`
+ gnome_read_gconf_home_files(consolehelper_domain)
+')
+
+optional_policy(`
+ xserver_read_home_fonts(consolehelper_domain)
+ xserver_stream_connect(consolehelper_domain)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt(consolehelper_domain)
+ fs_search_nfs(consolehelper_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ files_search_mnt(consolehelper_domain)
+ fs_search_cifs(consolehelper_domain)
+')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index 9586818..f938024 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -58,7 +58,7 @@ seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
-userdom_use_user_terminals(usernetctl_t)
+userdom_use_inherited_user_terminals(usernetctl_t)
optional_policy(`
hostname_exec(usernetctl_t)
diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te
index 03fc701..f58654e 100644
--- a/policy/modules/apps/vlock.te
+++ b/policy/modules/apps/vlock.te
@@ -50,4 +50,4 @@ logging_send_syslog_msg(vlock_t)
miscfiles_read_localization(vlock_t)
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index f647c7e..252468a 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -39,12 +39,6 @@ ifdef(`distro_redhat',`
/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
')
-/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
-/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-
/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 23066a1..6aff330 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
+dev_rw_generic_chr_files(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
@@ -133,7 +134,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
files_list_tmp(vmware_host_t)
files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
-files_read_usr_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
@@ -152,7 +153,7 @@ logging_send_syslog_msg(vmware_host_t)
miscfiles_read_localization(vmware_host_t)
sysnet_dns_name_resolve(vmware_host_t)
-sysnet_domtrans_ifconfig(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
@@ -161,10 +162,22 @@ netutils_domtrans_ping(vmware_host_t)
optional_policy(`
hostname_exec(vmware_host_t)
-')
+')
optional_policy(`
modutils_domtrans_insmod(vmware_host_t)
+')
+
+optional_policy(`
+ samba_read_config(vmware_host_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(vmware_host_t)
')
optional_policy(`
@@ -275,7 +288,7 @@ libs_read_lib_files(vmware_t)
miscfiles_read_localization(vmware_t)
-userdom_use_user_terminals(vmware_t)
+userdom_use_inherited_user_terminals(vmware_t)
userdom_list_user_home_dirs(vmware_t)
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index b11941a..93ec570 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -75,13 +75,15 @@ files_read_etc_runtime_files(webalizer_t)
logging_list_logs(webalizer_t)
logging_send_syslog_msg(webalizer_t)
+auth_use_nsswitch(webalizer_t)
+
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
sysnet_dns_name_resolve(webalizer_t)
sysnet_read_config(webalizer_t)
-userdom_use_user_terminals(webalizer_t)
+userdom_use_inherited_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
@@ -97,13 +99,5 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(webalizer_t)
-')
-
-optional_policy(`
- nscd_socket_use(webalizer_t)
-')
-
-optional_policy(`
squid_read_log(webalizer_t)
')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..2666317 100644
--- a/policy/modules/apps/wine.fc
+++ b/policy/modules/apps/wine.fc
@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index f9a73d0..e10101a 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
#
template(`wine_role',`
gen_require(`
+ type wine_t;
+ type wine_home_t;
type wine_exec_t;
')
role $1 types wine_t;
domain_auto_trans($2, wine_exec_t, wine_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
allow wine_t $2:fd use;
allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
@@ -44,8 +48,7 @@ template(`wine_role',`
allow $2 wine_t:process signal_perms;
allow $2 wine_t:fd use;
- allow $2 wine_t:shm { associate getattr };
- allow $2 wine_t:shm { unix_read unix_write };
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
allow $2 wine_t:unix_stream_socket connectto;
# X access, Home files
@@ -86,6 +89,7 @@ template(`wine_role',`
#
template(`wine_role_template',`
gen_require(`
+ type wine_t;
type wine_exec_t;
')
@@ -101,7 +105,7 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
domain_mmap_low($1_wine_t)
@@ -109,6 +113,10 @@ template(`wine_role_template',`
dontaudit $1_wine_t self:memprotect mmap_zero;
')
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index be9246b..e3de8fa 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -40,7 +40,7 @@ domain_mmap_low(wine_t)
files_execmod_all_files(wine_t)
-userdom_use_user_terminals(wine_t)
+userdom_use_inherited_user_terminals(wine_t)
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..95a3d06 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
type wireshark_home_t;
typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+files_poly_member(wireshark_home_t)
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
@@ -34,7 +35,7 @@ ubac_constrained(wireshark_tmpfs_t)
# Local Policy
#
-allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:capability { net_admin net_raw };
allow wireshark_t self:process { signal getsched };
allow wireshark_t self:fifo_file { getattr read write };
allow wireshark_t self:shm destroy;
@@ -85,6 +86,8 @@ fs_search_auto_mountpoints(wireshark_t)
libs_read_lib_files(wireshark_t)
+auth_use_nsswitch(wireshark_t)
+
miscfiles_read_fonts(wireshark_t)
miscfiles_read_localization(wireshark_t)
@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(wireshark_t)
')
-optional_policy(`
- nscd_socket_use(wireshark_t)
-')
-
# Manual transition from userhelper
optional_policy(`
userhelper_use_fd(wireshark_t)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index b3efef7..50c1a74 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -77,6 +77,11 @@ template(`wm_role_template',`
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
+ userdom_manage_home_role($2, $1_wm_t)
+ userdom_manage_tmpfs_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
+ userdom_exec_user_tmp_files($1_wm_t)
+
optional_policy(`
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..775f788 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -37,7 +37,7 @@ logging_send_syslog_msg(xscreensaver_t)
miscfiles_read_localization(xscreensaver_t)
-userdom_use_user_ptys(xscreensaver_t)
+userdom_use_inherited_user_ptys(xscreensaver_t)
#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index 223ad43..d95e720 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -83,6 +83,8 @@ fs_search_auto_mountpoints(yam_t)
# Content can also be on ISO image files.
fs_read_iso9660_files(yam_t)
+auth_use_nsswitch(yam_t)
+
logging_send_syslog_msg(yam_t)
miscfiles_read_localization(yam_t)
@@ -92,7 +94,7 @@ seutil_read_config(yam_t)
sysnet_dns_name_resolve(yam_t)
sysnet_read_config(yam_t)
-userdom_use_user_terminals(yam_t)
+userdom_use_inherited_user_terminals(yam_t)
userdom_use_unpriv_users_fds(yam_t)
# Reading dotfiles...
# cjp: ?
@@ -112,13 +114,5 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(yam_t)
-')
-
-optional_policy(`
- nscd_socket_use(yam_t)
-')
-
-optional_policy(`
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 3fae11a..d653b7f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
-
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
@@ -130,18 +128,15 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-/lib64/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -179,6 +174,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
+/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
@@ -198,48 +195,51 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -247,9 +247,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -267,6 +271,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/checkquorum -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
@@ -286,6 +294,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -293,8 +302,10 @@ ifdef(`distro_gentoo',`
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
+/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -306,10 +317,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -319,9 +331,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -363,7 +377,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -375,8 +389,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -385,3 +400,4 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..59c2125 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -254,6 +254,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
########################################
## <summary>
+## Do not audit attempts to access check bin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_access_check_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:file audit_access;
+')
+
+########################################
+## <summary>
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
@@ -1049,6 +1067,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
+ manage_dirs_pattern($1, bin_t, exec_type)
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 4f3b542..54e4c81 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
########################################
## <summary>
+## Send and receive DCCP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on generic nodes.
## </summary>
## <desc>
@@ -789,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
########################################
## <summary>
+## Bind DCCP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:dccp_socket node_bind;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
@@ -928,6 +964,24 @@ interface(`corenet_inout_generic_node',`
########################################
## <summary>
+## Send and receive DCCP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on all nodes.
## </summary>
## <param name="domain">
@@ -1102,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
########################################
## <summary>
+## Bind DCCP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:dccp_socket node_bind;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to all nodes.
## </summary>
## <param name="domain">
@@ -1157,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',`
########################################
## <summary>
+## Send and receive DCCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
@@ -1175,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',`
########################################
## <summary>
+## Do not audit attempts to send and
+## receive DCCP network traffic on
+## generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ dontaudit $1 port_t:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
## Do not audit send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
## <summary>
+## Bind DCCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ attribute defined_port_type;
+ ')
+
+ allow $1 port_t:dccp_socket name_bind;
+ dontaudit $1 defined_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',`
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
type port_t;
- attribute port_type;
+ attribute defined_port_type;
')
allow $1 port_t:tcp_socket name_bind;
- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind DCCP
+## sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ dontaudit $1 port_t:dccp_socket name_bind;
')
########################################
@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
interface(`corenet_udp_bind_generic_port',`
gen_require(`
type port_t;
- attribute port_type;
+ attribute defined_port_type;
')
allow $1 port_t:udp_socket name_bind;
- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect DCCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_connect_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:dccp_socket name_connect;
')
########################################
@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
########################################
## <summary>
+## Send and receive DCCP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on all ports.
## </summary>
## <desc>
@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
## <summary>
+## Bind DCCP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:dccp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to all ports.
## </summary>
## <param name="domain">
@@ -1458,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',`
########################################
## <summary>
+## Do not audit attepts to bind DCCP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
## Do not audit attepts to bind TCP sockets to any ports.
## </summary>
## <param name="domain">
@@ -1513,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
########################################
## <summary>
+## Connect DCCP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:dccp_socket name_connect;
+')
+
+########################################
+## <summary>
## Connect TCP sockets to all ports.
## </summary>
## <desc>
@@ -1559,6 +1799,25 @@ interface(`corenet_tcp_connect_all_ports',`
########################################
## <summary>
+## Do not audit attempts to connect DCCP sockets
+## to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:dccp_socket name_connect;
+')
+
+########################################
+## <summary>
## Do not audit attempts to connect TCP sockets
## to all ports.
## </summary>
@@ -1578,6 +1837,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
########################################
## <summary>
+## Send and receive DCCP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
@@ -1647,7 +1924,7 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
-## Bind TCP sockets to generic reserved ports.
+## Bind DCCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
## <summary>
@@ -1655,18 +1932,18 @@ interface(`corenet_udp_sendrecv_reserved_port',`
## </summary>
## </param>
#
-interface(`corenet_tcp_bind_reserved_port',`
+interface(`corenet_dccp_bind_reserved_port',`
gen_require(`
type reserved_port_t;
')
- allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 reserved_port_t:dccp_socket name_bind;
allow $1 self:capability net_bind_service;
')
########################################
## <summary>
-## Bind UDP sockets to generic reserved ports.
+## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
## <summary>
@@ -1674,18 +1951,18 @@ interface(`corenet_tcp_bind_reserved_port',`
## </summary>
## </param>
#
-interface(`corenet_udp_bind_reserved_port',`
+interface(`corenet_tcp_bind_reserved_port',`
gen_require(`
type reserved_port_t;
')
- allow $1 reserved_port_t:udp_socket name_bind;
+ allow $1 reserved_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
')
########################################
## <summary>
-## Connect TCP sockets to generic reserved ports.
+## Bind UDP sockets to generic reserved ports.
## </summary>
## <param name="domain">
## <summary>
@@ -1693,17 +1970,18 @@ interface(`corenet_udp_bind_reserved_port',`
## </summary>
## </param>
#
-interface(`corenet_tcp_connect_reserved_port',`
+interface(`corenet_udp_bind_reserved_port',`
gen_require(`
type reserved_port_t;
')
- allow $1 reserved_port_t:tcp_socket name_connect;
+ allow $1 reserved_port_t:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
')
########################################
## <summary>
-## Send and receive TCP network traffic on all reserved ports.
+## Connect DCCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
## <summary>
@@ -1711,17 +1989,17 @@ interface(`corenet_tcp_connect_reserved_port',`
## </summary>
## </param>
#
-interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+interface(`corenet_dccp_connect_reserved_port',`
gen_require(`
- attribute reserved_port_type;
+ type reserved_port_t;
')
- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+ allow $1 reserved_port_t:dccp_socket name_connect;
')
########################################
## <summary>
-## Send UDP network traffic on all reserved ports.
+## Connect TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
## <summary>
@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
## </summary>
## </param>
#
-interface(`corenet_udp_send_all_reserved_ports',`
+interface(`corenet_tcp_connect_reserved_port',`
gen_require(`
- attribute reserved_port_type;
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive DCCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket send_msg;
@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
########################################
## <summary>
+## Bind DCCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:dccp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to all reserved ports.
## </summary>
## <param name="domain">
@@ -1791,6 +2142,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
########################################
## <summary>
+## Do not audit attempts to bind DCCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
## Do not audit attempts to bind TCP sockets to all reserved ports.
## </summary>
## <param name="domain">
@@ -1846,6 +2215,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
########################################
## <summary>
+## Bind DCCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
@@ -1856,10 +2243,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
')
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+ allow $1 unreserved_port_type:tcp_socket name_bind;
')
########################################
@@ -1874,10 +2261,64 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
#
interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_ephemeral_ports',`
+ gen_require(`
+ attribute ephemeral_port_type;
')
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 ephemeral_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_ephemeral_ports',`
+ gen_require(`
+ attribute ephemeral_port_type;
+ ')
+
+ allow $1 ephemeral_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect DCCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
########################################
@@ -1900,6 +2341,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
########################################
## <summary>
+## Connect DCCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:dccp_socket name_connect;
+')
+
+########################################
+## <summary>
## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
@@ -1910,10 +2369,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
#
interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
')
- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+ allow $1 unreserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_ephemeral_ports',`
+ gen_require(`
+ attribute ephemeral_port_type;
+ ')
+
+ allow $1 ephemeral_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect DCCP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
@@ -1937,6 +2433,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
########################################
## <summary>
+## Connect DCCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:dccp_socket name_connect;
+')
+
+########################################
+## <summary>
## Connect TCP sockets to rpc ports.
## </summary>
## <param name="domain">
@@ -1955,6 +2469,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
## <summary>
+## Do not audit attempts to connect DCCP sockets
+## all rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
+')
+
+########################################
+## <summary>
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
@@ -1993,6 +2526,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
+## Read and write inherited TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_rw_inherited_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
@@ -2049,6 +2600,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
+## Bind DCCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:dccp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
@@ -2068,6 +2638,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
+## Do not audit attempts to bind DCCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
@@ -2194,6 +2782,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
+## Receive DCCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+ allow $1 netlabel_peer_t:dccp_socket recvfrom;
+')
+
+########################################
+## <summary>
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
@@ -2213,6 +2820,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
+## Receive DCCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_recvfrom_unlabeled',`
+ gen_require(`
+ attribute corenet_unlabeled_type;
+ ')
+
+ kernel_dccp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
+ typeattribute $1 corenet_unlabeled_type;
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
## Receive TCP packets from an unlabled connection.
## </summary>
## <param name="domain">
@@ -2222,9 +2854,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ attribute corenet_unlabeled_type;
+ ')
+
kernel_tcp_recvfrom_unlabeled($1)
kernel_recvfrom_unlabeled_peer($1)
+ typeattribute $1 corenet_unlabeled_type;
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
@@ -2249,6 +2886,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
+## Do not audit attempts to receive DCCP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
+')
+
+########################################
+## <summary>
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
@@ -2269,6 +2926,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
+## Do not audit attempts to receive DCCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
+ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
@@ -2533,6 +3211,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_dccp_recvfrom_unlabeled($1)
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
@@ -2571,7 +3250,31 @@ interface(`corenet_all_recvfrom_netlabel',`
')
allow $1 netlabel_peer_t:peer recv;
- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+ allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Enable unlabeled net packets
+## </summary>
+## <desc>
+## <p>
+## Allow unlabeled_packet_t to be used by all domains that use the network
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_enable_unlabeled_packets',`
+ gen_require(`
+ attribute corenet_unlabeled_type;
+ ')
+
+ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
')
########################################
@@ -2585,6 +3288,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
@@ -2613,7 +3317,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Rules for receiving labeled DCCP packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_dccp_recvfrom_labeled',`
+ allow { $1 $2 } self:association sendto;
+ allow $1 $2:{ association dccp_socket } recvfrom;
+ allow $2 $1:{ association dccp_socket } recvfrom;
+
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_dccp_recvfrom_netlabel($1)
+ corenet_dccp_recvfrom_netlabel($2)
')
########################################
@@ -2727,6 +3459,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
+ corenet_dccp_recvfrom_labeled($1, $2)
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 99b71cb..17d942f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
attribute node_type;
attribute packet_type;
attribute port_type;
+attribute defined_port_type;
attribute reserved_port_type;
+attribute unreserved_port_type;
+attribute ephemeral_port_type;
attribute rpc_port_type;
attribute server_packet_type;
attribute corenet_unconfined_type;
+attribute corenet_unlabeled_type;
type ppp_device_t;
dev_node(ppp_device_t)
@@ -25,6 +29,7 @@ dev_node(ppp_device_t)
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
+mls_trusted_object(tun_tap_device_t)
########################################
#
@@ -34,6 +39,18 @@ dev_node(tun_tap_device_t)
#
# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
+type intranet_packet_t;
+corenet_packet(intranet_packet_t)
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type internet_packet_t;
+corenet_packet(internet_packet_t)
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
type client_packet_t, packet_type, client_packet_type;
#
@@ -50,6 +67,17 @@ type port_t, port_type;
sid port gen_context(system_u:object_r:port_t,s0)
#
+# unreserved_port_t is the default type of port numbers > 1024 and non ephemeral
+#
+type unreserved_port_t, port_type, unreserved_port_type;
+
+#
+# ephemeral_port_t is the default type of ephemeral port numbers.
+# cat /proc/sys/net/ipv4/ip_local_port_range
+#
+type ephemeral_port_t, port_type, ephemeral_port_type;
+
+#
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
@@ -65,30 +93,37 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
+network_port(afs_client, udp,7001,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
network_port(afs_vl, udp,7003,s0)
network_port(agentx, udp,705,s0, tcp,705,s0)
+network_port(ajaxterm, tcp,8022,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
network_port(boinc, tcp,31416,s0)
+network_port(boinc_client_ctrl, tcp,1043,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+network_port(cma, tcp,1050,s0, udp,1050,s0)
network_port(cobbler, tcp,25151,s0)
+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
@@ -99,14 +134,20 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
+network_port(dogtag, tcp,7390,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
+network_port(firebird, tcp,3050,s0, udp,3050,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
+network_port(fprot, tcp,10200,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
@@ -115,11 +156,12 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
@@ -129,20 +171,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lirc, tcp,8765,s0)
+network_port(luci, tcp,8084,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
+network_port(movaz_ssc, tcp,5252,s0)
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
@@ -152,16 +199,25 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -179,30 +235,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
+network_port(router, udp,520-521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sametime, tcp,1533,s0, udp,1533,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
-network_port(syslogd, udp,514,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
+network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -215,7 +276,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
+network_port(vnc, tcp,5900-5999,s0)
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
@@ -229,6 +290,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+network_port(zented, tcp,1229,s0, udp,1229,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
@@ -238,6 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
########################################
#
@@ -282,9 +350,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 35fed4f..e0c8f51 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -81,7 +81,13 @@ declare_nodes($1_node_t,shift($*))
define(`declare_ports',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
-',`dnl')
+',`
+ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',`
+ ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',`
+ typeattribute $1 ephemeral_port_type;
+ ')
+ ')
+')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
')
@@ -90,7 +96,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
#
define(`network_port',`
-type $1_port_t, port_type;
+type $1_port_t, port_type, defined_port_type;
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
declare_ports($1_port_t,shift($*))dnl
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 6cf8784..935a96c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -20,6 +20,7 @@
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -57,8 +58,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -126,6 +129,7 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
+/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -187,8 +191,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
-
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -196,3 +198,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
+
+#
+# /sys
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f820f3b..7139ab3 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
relabelfrom_dirs_pattern($1, device_t, device_node)
relabelfrom_files_pattern($1, device_t, device_node)
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
- relabelfrom_fifo_files_pattern($1, device_t, device_node)
- relabelfrom_sock_files_pattern($1, device_t, device_node)
+ relabel_fifo_files_pattern($1, device_t, { device_t device_node })
+ relabel_sock_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
########################################
## <summary>
+## Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
########################################
## <summary>
+## Dontaudit attempts to list all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_all_access_check',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:file_class_set audit_access;
+')
+
+########################################
+## <summary>
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
read_files_pattern($1, device_t, device_t)
')
+#######################################
+## <summary>
+## Read generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:file { read getattr };
+')
+
########################################
## <summary>
## Read and write generic files in /dev.
@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',`
########################################
## <summary>
+## Rename generic block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rename_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ rename_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
########################################
## <summary>
+## Rename generic character device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rename_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ rename_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain to dontaudit access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
## <summary>
-## Read symbolic links in device directories.
+## Create symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
## </summary>
## </param>
#
-interface(`dev_read_generic_symlinks',`
+interface(`dev_create_generic_symlinks',`
gen_require(`
type device_t;
')
- allow $1 device_t:lnk_file read_lnk_file_perms;
+ create_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
-## Create symbolic links in device directories.
+## Delete symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
## </summary>
## </param>
#
-interface(`dev_create_generic_symlinks',`
+interface(`dev_delete_generic_symlinks',`
gen_require(`
type device_t;
')
- create_lnk_files_pattern($1, device_t, device_t)
+ delete_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
-## Delete symbolic links in device directories.
+## Read symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
## </summary>
## </param>
#
-interface(`dev_delete_generic_symlinks',`
+interface(`dev_read_generic_symlinks',`
gen_require(`
type device_t;
')
- delete_lnk_files_pattern($1, device_t, device_t)
+ allow $1 device_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -938,7 +1047,7 @@ interface(`dev_filetrans',`
type device_t;
')
- filetrans_pattern($1, device_t, $2, $3)
+ filetrans_pattern($1, device_t, $2, $3, $4)
dev_associate($2)
files_associate_tmp($2)
@@ -1024,6 +1133,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
getattr_chr_files_pattern($1, device_t, device_node)
@@ -1196,6 +1306,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
+## rw all inherited character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## rw all inherited blk device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
+')
+
+########################################
+## <summary>
## Delete all block device files.
## </summary>
## <param name="domain">
@@ -2358,7 +2504,97 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
-## Get the attributes of the lvm comtrol device.
+## Get the attributes of the loop comtrol device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_loop_control',`
+ gen_require(`
+ type device_t, loop_control_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+## Read the loop comtrol device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_loop_control',`
+ gen_require(`
+ type device_t, loop_control_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_loop_control',`
+ gen_require(`
+ type device_t, loop_control_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
+ type loop_control_device_t;
+ ')
+
+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Delete the loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_loop_control_dev',`
+ gen_require(`
+ type device_t, loop_control_device_t;
+ ')
+
+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the loop comtrol device.
## </summary>
## <param name="domain">
## <summary>
@@ -2681,7 +2917,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',`
')
dontaudit $1 mtrr_device_t:file write;
- dontaudit $1 mtrr_device_t:chr_file write;
+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
')
########################################
@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_printk',`
- gen_require(`
- type device_t, printk_device_t;
- ')
-
- read_chr_files_pattern($1, device_t, printk_device_t)
-')
-
-########################################
-## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
@@ -3811,6 +4029,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+## Set the attributes of sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Get attributes of sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
@@ -3902,25 +4156,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
-## Create, read, write, and delete sysfs
-## directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_sysfs_dirs',`
- gen_require(`
- type sysfs_t;
- ')
-
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-')
-
-########################################
-## <summary>
## Read hardware state information.
## </summary>
## <desc>
@@ -3972,6 +4207,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## Read and write the TPM device.
## </summary>
## <param name="domain">
@@ -4069,6 +4340,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
+## Do not audit attempts to write to pseudo
+## random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_urand',`
+ gen_require(`
+ type urandom_device_t;
+ ')
+
+ dontaudit $1 urandom_device_t:chr_file write;
+')
+
+########################################
+## <summary>
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
@@ -4495,6 +4785,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
+## Allow read/write inheretid the vhost net device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_inherited_vhost',`
+ gen_require(`
+ type device_t, vhost_device_t;
+ ')
+
+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
## Read and write VMWare devices.
## </summary>
## <param name="domain">
@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+## <summary>
+## Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
+## Create all named devices with the correct label
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_all_named_dev',`
+
+gen_require(`
+ type device_t;
+ type usb_device_t;
+ type xserver_misc_device_t;
+ type sound_device_t;
+ type apm_bios_t;
+ type mouse_device_t;
+ type autofs_device_t;
+ type lvm_control_t;
+ type crash_device_t;
+ type dlm_control_device_t;
+ type clock_device_t;
+ type v4l_device_t;
+ type event_device_t;
+ type xen_device_t;
+ type framebuf_device_t;
+ type null_device_t;
+ type random_device_t;
+ type dri_device_t;
+ type ipmi_device_t;
+ type printer_device_t;
+ type memory_device_t;
+ type kmsg_device_t;
+ type qemu_device_t;
+ type ksm_device_t;
+ type kvm_device_t;
+ type lirc_device_t;
+ type cpu_device_t;
+ type scanner_device_t;
+ type modem_device_t;
+ type vhost_device_t;
+ type netcontrol_device_t;
+ type nvram_device_t;
+ type power_device_t;
+ type wireless_device_t;
+ type tpm_device_t;
+ type userio_device_t;
+ type urandom_device_t;
+ type usbmon_device_t;
+ type vmware_device_t;
+ type watchdog_device_t;
+ type crypt_device_t;
+ type zero_device_t;
+ type smartcard_device_t;
+ type mtrr_device_t;
+')
+
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
+ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
+ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
+ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
+ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
+ filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
+ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
+ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
+ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
+ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
+ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
+ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 08f01e7..1c2562c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
+mls_trusted_object(kvm_device_t)
#
# Type for /dev/lirc
@@ -118,6 +119,12 @@ dev_node(lirc_device_t)
#
# Type for /dev/mapper/control
#
+type loop_control_device_t;
+dev_node(loop_control_device_t)
+
+#
+# Type for /dev/mapper/control
+#
type lvm_control_t;
dev_node(lvm_control_t)
@@ -265,6 +272,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
+mls_trusted_object(vhost_device_t)
# Type for vmware devices.
type vmware_device_t;
@@ -310,5 +318,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..cf3d50b 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
-## Get the attributes of all domains of all domains.
+## Get the attributes of all domains.
## </summary>
## <param name="domain">
## <summary>
@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
+
+ mcs_file_read_all($1)
+ mcs_file_write_all($1)
+ mcs_killall($1)
+ mcs_ptrace_all($1)
+ mcs_socket_write_all_levels($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_leaks',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index fae1ab1..00e20f7 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
#
# Declarations
#
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(allow_domain_fd_use, true)
+
+## <desc>
+## <p>
+## Allow all domains to have the kernel load modules
+## </p>
+## </desc>
+#
+gen_tunable(domain_kernel_load_modules, false)
## <desc>
## <p>
@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
# create child processes in the domain
-allow domain self:process { fork sigchld };
+allow domain self:process { fork getsched sigchld };
# Use trusted objects in /dev
dev_rw_null(domain)
@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
+')
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
+ afs_rw_cache(domain)
+')
+
+optional_policy(`
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
+ libs_read_lib_files(domain)
')
optional_policy(`
@@ -125,6 +158,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
+ xserver_dontaudit_write_log(domain)
')
########################################
@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+optional_policy(`
+ seutil_dontaudit_read_config(domain)
+')
+
+optional_policy(`
+ init_sigchld(domain)
+ init_signull(domain)
+')
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
+# these seem questionable:
+
+optional_policy(`
+ abrt_domtrans_helper(domain)
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
+')
+
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_search_log(domain)
+ rpm_append_tmp_files(domain)
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
+')
+
+optional_policy(`
+ sosreport_append_tmp_files(domain)
+')
+
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
+')
+
+optional_policy(`
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+ dontaudit domain domain:socket_class_set { read write };
+ dontaudit domain self:capability sys_module;
+')
+
+optional_policy(`
+ hal_dontaudit_read_pid_files(domain)
+')
+
+optional_policy(`
+ ipsec_match_default_spd(domain)
+')
+
+optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
+')
+
+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..12e8e9c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`distro_suse',`
@@ -53,10 +54,17 @@ ifdef(`distro_suse',`
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
-# /lib(64)?
+# /lib
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
#
# /lost+found
@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
#
# /proc
@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
+ifdef(`distro_redhat',`
+/rhev -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev/[^/]*/.* <<none>>
+')
+
#
# /run
#
@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
-/var/run -l gen_context(system_u:object_r:var_run_t,s0)
+/var/run -l gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ff006ea..4262f4a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
## <li>files_pid_file()</li>
## <li>files_security_file()</li>
## <li>files_security_mountpoint()</li>
+## <li>files_spool_file()</li>
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
@@ -663,12 +664,63 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
read_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
## <summary>
+## Manage all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Relabel all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ allow $1 { non_security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
@@ -1053,10 +1105,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1482,6 +1532,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
+## Write all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir write;
+')
+
+########################################
+## <summary>
+## Write all file type directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir write;
+')
+
+########################################
+## <summary>
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -1562,7 +1648,7 @@ interface(`files_root_filetrans',`
type root_t;
')
- filetrans_pattern($1, root_t, $2, $3)
+ filetrans_pattern($1, root_t, $2, $3, $4)
')
########################################
@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
+## Set attributes of the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
- filetrans_pattern($1, boot_t, $2, $3)
+ filetrans_pattern($1, boot_t, $2, $3, $4)
')
########################################
@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
+#######################################
+## <summary>
+## Dontaudit remove dir /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_remove_etc_dir',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:dir rmdir;
+')
+
##########################################
## <summary>
## Manage generic directories in /etc
@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -2525,6 +2647,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
+## Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
## Execute generic files in /etc.
## </summary>
## <param name="domain">
@@ -2624,7 +2764,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
- filetrans_pattern($1, etc_t, $2, $3)
+ filetrans_pattern($1, etc_t, $2, $3, $4)
')
########################################
@@ -2680,24 +2820,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
-## Do not audit attempts to set the attributes of the etc_runtime files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_setattr_etc_runtime_files',`
- gen_require(`
- type etc_runtime_t;
- ')
-
- dontaudit $1 etc_runtime_t:file setattr;
-')
-
-########################################
-## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
@@ -2738,6 +2860,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
+## Do not audit attempts to set the attributes of the etc_runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file setattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
@@ -2775,6 +2915,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
')
########################################
@@ -2796,6 +2937,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
')
########################################
@@ -3364,7 +3506,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
- filetrans_pattern($1, home_root_t, $2, $3)
+ filetrans_pattern($1, home_root_t, $2, $3, $4)
')
########################################
@@ -3502,20 +3644,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
-## Do not audit attempts to list the contents of /mnt.
+## dontaudit List the contents of /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to check the
+## write access on mnt files
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_dontaudit_list_mnt',`
+interface(`files_dontaudit_access_check_mnt',`
gen_require(`
type mnt_t;
')
-
- dontaudit $1 mnt_t:dir list_dir_perms;
+ dontaudit $1 mnt_t:file_class_set audit_access;
')
########################################
@@ -3900,6 +4060,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+#######################################
+## <summary>
+## Read manageable system configuration files in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+######################################
+## <summary>
+## Manage manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
+## <summary>
+## Create files in /etc with the type used for
+## the manageable system config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
########################################
## <summary>
## Allow the specified type to associate
@@ -3945,7 +4198,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4017,7 +4270,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4029,6 +4282,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
+#######################################
+## <summary>
+## Allow read and write to the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
########################################
## <summary>
## Remove entries from the tmp directory.
@@ -4085,6 +4356,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
+## Allow shared library text relocations in tmp files.
+## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
+## </p>
+## <p>
+## This is added to support java policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_execmod_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file execmod;
+')
+
+########################################
+## <summary>
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
@@ -4139,7 +4436,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
@@ -4147,17 +4444,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
-interface(`files_setattr_all_tmp_dirs',`
+interface(`files_relabelfrom_tmp_dirs',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
- allow $1 tmpfile:dir { search_dir_perms setattr };
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
-## List all tmp directories.
+## Relabel a file from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
@@ -4165,33 +4462,69 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
-interface(`files_list_all_tmp',`
+interface(`files_relabelfrom_tmp_files',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
- allow $1 tmpfile:dir list_dir_perms;
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
-## Relabel to and from all temporary
-## directory types.
+## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`files_relabel_all_tmp_dirs',`
+interface(`files_setattr_all_tmp_dirs',`
gen_require(`
attribute tmpfile;
- type var_t;
')
- allow $1 var_t:dir search_dir_perms;
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
+## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from all temporary
+## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
relabel_dirs_pattern($1, tmpfile, tmpfile)
')
@@ -4202,7 +4535,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4262,7 +4595,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4318,7 +4651,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
- filetrans_pattern($1, tmp_t, $2, $3)
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
')
########################################
@@ -4342,6 +4675,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
+ files_list_isid_type_dirs($1)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
+ files_delete_isid_type_symlinks($1)
+ files_delete_isid_type_fifo_files($1)
+ files_delete_isid_type_sock_files($1)
+ files_delete_isid_type_blk_files($1)
+ files_delete_isid_type_chr_files($1)
')
########################################
@@ -4681,7 +5024,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
- filetrans_pattern($1, usr_t, $2, $3)
+ filetrans_pattern($1, usr_t, $2, $3, $4)
')
########################################
@@ -5084,7 +5427,7 @@ interface(`files_var_filetrans',`
type var_t;
')
- filetrans_pattern($1, var_t, $2, $3)
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
########################################
@@ -5219,7 +5562,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_lib_t, $2, $3)
+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
@@ -5304,6 +5647,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
+## List generic lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ files_search_locks($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
@@ -5317,6 +5679,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
+ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
@@ -5336,12 +5700,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_lock_t:dir search_dir_perms;
')
########################################
## <summary>
-## List generic lock directories.
+## create a directory in the /var/lock
+## directories.
## </summary>
## <param name="domain">
## <summary>
@@ -5349,12 +5715,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
-interface(`files_list_locks',`
+interface(`files_create_lock_dirs',`
gen_require(`
type var_t, var_lock_t;
')
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of the /var/lock directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+ gen_require(`
+ type var_lock_t;
+ ')
- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
')
########################################
@@ -5373,6 +5757,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
+ files_search_locks($1)
rw_dirs_pattern($1, var_t, var_lock_t)
')
@@ -5385,7 +5770,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
@@ -5412,7 +5796,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
+ files_search_locks($1)
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -5428,12 +5812,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
- gen_require(`
+ gen_require(`
type var_t, var_lock_t;
- ')
+ ')
- allow $1 var_t:dir search_dir_perms;
- delete_files_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
@@ -5452,7 +5836,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
+ files_search_locks($1)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -5493,7 +5877,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_locks($1)
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5515,7 +5899,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_locks($1)
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5547,8 +5931,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_lock_t, $2, $3)
+ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
########################################
@@ -5608,6 +5992,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
+######################################
+## <summary>
+## Add and remove entries from pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir rw_dir_perms;
+')
+
+#######################################
+## <summary>
+## Create generic pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_var_run_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search
@@ -5629,6 +6050,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
+## Do not audit attempts to search
+## the all /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
@@ -5736,7 +6176,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_run_t, $2, $3)
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
')
########################################
@@ -5815,29 +6255,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
-## Read all process ID files.
+## Relable all pid directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
gen_require(`
attribute pidfile;
- type var_t;
')
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
+ relabel_dirs_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
-## Mount filesystems on all polyinstantiation
-## member directories.
+## Delete all pid sockets
## </summary>
## <param name="domain">
## <summary>
@@ -5845,42 +6281,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_sockets',`
gen_require(`
- attribute polymember;
+ attribute pidfile;
')
- allow $1 polymember:dir mounton;
+ allow $1 pidfile:sock_file delete_sock_file_perms;
')
########################################
## <summary>
-## Delete all process IDs.
+## Create all pid sockets
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`files_delete_all_pids',`
+interface(`files_create_all_pid_sockets',`
gen_require(`
attribute pidfile;
- type var_t, var_run_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
- delete_fifo_files_pattern($1, pidfile, pidfile)
- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file create_sock_file_perms;
')
########################################
## <summary>
-## Delete all process ID directories.
+## Create all pid named pipes
## </summary>
## <param name="domain">
## <summary>
@@ -5888,20 +6317,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_pipes',`
gen_require(`
attribute pidfile;
- type var_t;
')
- allow $1 var_t:dir search_dir_perms;
- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
')
########################################
## <summary>
-## Search the contents of generic spool
-## directories (/var/spool).
+## Delete all pid named pipes
## </summary>
## <param name="domain">
## <summary>
@@ -5909,56 +6335,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
-interface(`files_search_spool',`
+interface(`files_delete_all_pid_pipes',`
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
')
- search_dirs_pattern($1, var_t, var_spool_t)
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to search generic
-## spool directories.
+## manage all pidfile directories
+## in the /var/run directory.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_dontaudit_search_spool',`
+interface(`files_manage_all_pid_dirs',`
gen_require(`
- type var_spool_t;
+ attribute pidfile;
')
- dontaudit $1 var_spool_t:dir search_dir_perms;
+ manage_dirs_pattern($1,pidfile,pidfile)
')
+
########################################
## <summary>
-## List the contents of generic spool
-## (/var/spool) directories.
+## Read all process ID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`files_list_spool',`
+interface(`files_read_all_pids',`
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t;
')
- list_dirs_pattern($1, var_t, var_spool_t)
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
-## Create, read, write, and delete generic
-## spool directories (/var/spool).
+## Relable all pid files
## </summary>
## <param name="domain">
## <summary>
@@ -5966,18 +6395,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
-interface(`files_manage_generic_spool_dirs',`
+interface(`files_relabel_all_pid_files',`
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
')
- allow $1 var_t:dir search_dir_perms;
- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
-## Read generic spool files.
+## Execute generic programs in /var/run in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -5985,19 +6413,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
-interface(`files_read_generic_spool',`
+interface(`files_exec_generic_pid_files',`
gen_require(`
- type var_t, var_spool_t;
+ type var_run_t;
')
- list_dirs_pattern($1, var_t, var_spool_t)
- read_files_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
')
########################################
## <summary>
-## Create, read, write, and delete generic
-## spool files.
+## manage all pidfiles
+## in the /var/run directory.
## </summary>
## <param name="domain">
## <summary>
@@ -6005,50 +6432,61 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
-interface(`files_manage_generic_spool',`
+interface(`files_manage_all_pids',`
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
')
- allow $1 var_t:dir search_dir_perms;
- manage_files_pattern($1, var_spool_t, var_spool_t)
+ manage_files_pattern($1,pidfile,pidfile)
')
########################################
## <summary>
-## Create objects in the spool directory
-## with a private type with a type transition.
+## Mount filesystems on all polyinstantiation
+## member directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="file">
-## <summary>
-## Type to which the created node will be transitioned.
-## </summary>
-## </param>
-## <param name="class">
+#
+interface(`files_mounton_all_poly_members',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
+## Delete all process IDs.
+## </summary>
+## <param name="domain">
## <summary>
-## Object class(es) (single or set including {}) for which this
-## the transition will occur.
+## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`files_spool_filetrans',`
+interface(`files_delete_all_pids',`
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_spool_t, $2, $3)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
')
########################################
## <summary>
-## Allow access to manage all polyinstantiated
-## directories on the system.
+## Delete all process ID directories.
## </summary>
## <param name="domain">
## <summary>
@@ -6056,23 +6494,275 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_pid_dirs',`
gen_require(`
- attribute polydir, polymember, polyparent;
- type poly_t;
+ attribute pidfile;
+ type var_t;
')
- # Need to give access to /selinux/member
- selinux_compute_member($1)
-
- # Need sys_admin capability for mounting
- allow $1 self:capability { chown fsetid sys_admin fowner };
-
- # Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-
- # Need to give access to the polyinstantiated subdirectories
- allow $1 polymember:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for spool files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a spool file may result in problems with
+## purging spool files.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_spool_filetrans()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create and
+## write its spool file in the system spool file
+## directories (/var/spool):
+## </p>
+## <p>
+## type myspoolfile_t;
+## files_spool_file(myfile_spool_t)
+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
+## </p>
+## </desc>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## spool file.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
+')
+
+########################################
+## <summary>
+## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search the contents of generic spool
+## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search generic
+## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_spool',`
+ gen_require(`
+ type var_spool_t;
+ ')
+
+ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of generic spool
+## (/var/spool) directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create objects in the spool directory
+## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+#
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Allow access to manage all polyinstantiated
+## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_polyinstantiate_all',`
+ gen_require(`
+ attribute polydir, polymember, polyparent;
+ type poly_t;
+ ')
+
+ # Need to give access to /selinux/member
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
+ allow $1 self:capability { chown fsetid sys_admin fowner };
+
+ # Need to give access to the directories to be polyinstantiated
+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+
+ # Need to give access to the polyinstantiated subdirectories
+ allow $1 polymember:dir search_dir_perms;
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
@@ -6117,3 +6807,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+## Create a default directory
+## </summary>
+## <desc>
+## <p>
+## Create a default_t direcrory
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir create;
+')
+
+########################################
+## <summary>
+## Create, default_t objects with an automatic
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_root_filetrans_default',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ filetrans_pattern($1, root_t, default_t, $2)
+')
+
+########################################
+## <summary>
+## manage generic symbolic links
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to getattr
+## all tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
+## Allow read write all tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_rw_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read security files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## rw any files inherited from another process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow any file point to be the entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_entrypoint_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+ allow $1 file_type:file entrypoint;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to rw inherited file perms
+## of non security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_all_non_security_leaks',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_leaks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
+
+########################################
+## <summary>
+## Allow domain to create_file_ass all types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_as_is_all_files',`
+ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
+ ')
+
+ allow $1 file_type:kernel_service create_files_as;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to check the
+## write access on all files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_all_access_check',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file_class_set audit_access;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to all files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 22821ff..20251b0 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
+attribute spoolfile;
attribute configfile;
+attribute etcfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
@@ -58,12 +60,21 @@ files_type(etc_t)
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+#
+type system_conf_t, configfile;
+files_type(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
-type etc_runtime_t;
+type etc_runtime_t, configfile;
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
+files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
@@ -181,6 +193,7 @@ files_mountpoint(var_run_t)
#
type var_spool_t;
files_tmp_file(var_spool_t)
+files_spool_file(var_spool_t)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 97fcdac..a75dbe4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
########################################
## <summary>
+## Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Search cgroup directories.
## </summary>
## <param name="domain">
@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
')
search_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
########################################
## <summary>
+## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## list cgroup directories.
## </summary>
## <param name="domain">
@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
+#######################################
+## <summary>
+## Dontaudit search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ dontaudit $1 cgroup_t:dir search_dir_perms;
+ dev_dontaudit_search_sysfs($1)
+')
+
########################################
## <summary>
## Delete cgroup directories.
@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
')
delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', `
')
write_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',`
')
rw_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
+ manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
+## Read/Write all inherited noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_inherited_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
+## Read inherited files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_inherited_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write inherited files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_inherited_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
- dontaudit $1 cifs_t:file rw_file_perms;
+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
')
########################################
@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
+########################################
+## <summary>
+## Make general progams in cifs an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_cifs_entry_type',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ domain_entry_file($1, cifs_t)
+')
+
#######################################
## <summary>
## Create, read, write, and delete dirs
@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
+## Read hugetlbfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
+ fs_read_anon_inodefs_files($1)
')
########################################
@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
+## Make general progams in nfs an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ domain_entry_file($1, nfs_t)
+')
+
+########################################
+## <summary>
## Append files
## on a NFS filesystem.
## </summary>
@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
+## Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read/write inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
- dontaudit $1 nfs_t:file rw_file_perms;
+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
')
########################################
@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
+ fs_search_auto_mountpoints($1)
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
+## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## tmpfs directories
## </summary>
@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
+## dontaudit Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
@@ -4457,6 +4732,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
+# Mount checks write access on the dir
+ allow $1 filesystem_type:dir write;
')
########################################
@@ -4503,7 +4780,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
-## et the attributes of all filesystems.
+## get the attributes of all filesystems.
## Example attributes:
## </p>
## <ul>
@@ -4866,3 +5143,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked filesystems files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_leaks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index f125dc2..3c6e827 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+mls_trusted_object(anon_inodefs_t)
type bdev_t;
fs_type(bdev_t)
@@ -67,7 +68,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-type cgroup_t;
+type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
@@ -96,6 +97,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+dev_associate(hugetlbfs_t)
type ibmasmfs_t;
fs_type(ibmasmfs_t)
@@ -175,6 +177,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
+files_type(removable_t)
+dev_node(removable_t)
files_mountpoint(removable_t)
#
@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6346378..8c500cd 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
attribute can_load_kernmodule;
')
- allow $1 self:capability sys_module;
typeattribute $1 can_load_kernmodule;
- # load_module() calls stop_machine() which
- # calls sched_setscheduler()
- allow $1 self:capability sys_nice;
- kernel_setsched($1)
')
########################################
@@ -2072,7 +2067,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
')
########################################
@@ -2293,7 +2288,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -2475,6 +2470,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
+## Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
@@ -2619,7 +2632,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
- allow $1 unlabeled_t:packet { send recv };
+# allow $1 unlabeled_t:packet { send recv };
')
########################################
@@ -2657,6 +2670,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
+## Receive DCCP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dccp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dccp_socket recvfrom;
+')
+
+########################################
+## <summary>
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
@@ -2684,6 +2715,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
+## Do not audit attempts to receive DCCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:dccp_socket recvfrom;
+')
+
+########################################
+## <summary>
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
@@ -2793,6 +2843,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
+########################################
+## <summary>
+## Read/Write Raw IP packets from an unlabeled connection.
+## </summary>
+## <desc>
+## <p>
+## Receive Raw IP packets from an unlabeled connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_raw_recv_unlabeled() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_rawip_socket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
########################################
## <summary>
@@ -2948,6 +3025,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
+## Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+## <summary>
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
+ kernel_load_module($1)
')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d91c62f..c857dc0 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,12 @@
policy_module(kernel, 1.13.3)
+## <desc>
+## <p>
+## disallow programs and users from transitioning to insmod domain.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod,false)
+
########################################
#
# Declarations
@@ -50,6 +57,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
fs_type(debugfs_t)
+files_mountpoint(debugfs_t)
+
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -157,6 +166,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
-dev_create_generic_blk_files(kernel_t)
-dev_delete_generic_blk_files(kernel_t)
-dev_create_generic_chr_files(kernel_t)
-dev_delete_generic_chr_files(kernel_t)
+dev_create_all_blk_files(kernel_t)
+dev_delete_all_blk_files(kernel_t)
+dev_create_all_chr_files(kernel_t)
+dev_delete_all_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_filetrans_all_named_dev(kernel_t)
+storage_filetrans_all_named_dev(kernel_t)
+term_filetrans_all_named_dev(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
-term_use_console(kernel_t)
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -269,25 +283,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_socket_write_all_levels(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
+mls_file_downgrade(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
+
+optional_policy(`
+ apache_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+ gnome_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+ kerberos_filetrans_home_content(kernel_t)
+')
+
optional_policy(`
hotplug_search_config(kernel_t)
')
optional_policy(`
init_sigchld(kernel_t)
+ init_dyntrans(kernel_t)
')
optional_policy(`
@@ -297,6 +333,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
+ logging_manage_generic_logs(kernel_t)
+')
+
+optional_policy(`
+ mta_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+ ssh_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
')
optional_policy(`
@@ -334,9 +383,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_read_all_dirs_except_shadow(kernel_t)
- auth_read_all_files_except_shadow(kernel_t)
- auth_read_all_symlinks_except_shadow(kernel_t)
+ files_read_non_security_files(kernel_t)
')
tunable_policy(`nfs_export_all_rw',`
@@ -345,7 +392,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_manage_all_files_except_shadow(kernel_t)
+ files_manage_non_security_files(kernel_t)
')
')
@@ -358,6 +405,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
+optional_policy(`
+ virt_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
+ xserver_filetrans_home_content(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
@@ -387,3 +443,16 @@ allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+gen_require(`
+ bool secure_mode_insmod;
+')
+
+if( ! secure_mode_insmod ) {
+ allow can_load_kernmodule self:capability sys_module;
+ # load_module() calls stop_machine() which
+ # calls sched_setscheduler()
+ allow can_load_kernmodule self:capability sys_nice;
+ kernel_setsched(can_load_kernmodule)
+}
+
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..6bb6529 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',`
typeattribute $1 mcssetcats;
')
+
+########################################
+## <summary>
+## Make specified process type MCS untrusted.
+## </summary>
+## <desc>
+## <p>
+## Make specified process type MCS untrusted. This
+## prevents this process from sending signals to other processes
+## with different mcs labels
+## object.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process.
+## </summary>
+## </param>
+#
+interface(`mcs_untrusted_proc',`
+ gen_require(`
+ attribute mcsuntrustedproc;
+ ')
+
+ typeattribute $1 mcsuntrustedproc;
+')
+
+########################################
+## <summary>
+## Make specified domain MCS trusted
+## for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_socket_write_all_levels',`
+ gen_require(`
+ attribute mcsnetwrite;
+ ')
+
+ typeattribute $1 mcsnetwrite;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..3168d72 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,5 @@ attribute mcsptraceall;
attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
+attribute mcsuntrustedproc;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
index 7be4ddf..4d4c577 100644
--- a/policy/modules/kernel/selinux.fc
+++ b/policy/modules/kernel/selinux.fc
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ca7e808..ccb32a0 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
# because of this statement, any module which
# calls this interface must be in the base module:
- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
')
########################################
@@ -58,6 +58,8 @@ interface(`selinux_get_fs_mount',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
@@ -87,6 +89,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:filesystem getattr;
# read /proc/filesystems to see if selinuxfs is supported
@@ -109,6 +112,8 @@ interface(`selinux_mount_fs',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem mount;
')
@@ -128,6 +133,8 @@ interface(`selinux_remount_fs',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem remount;
')
@@ -146,6 +153,8 @@ interface(`selinux_unmount_fs',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem unmount;
')
@@ -220,6 +229,8 @@ interface(`selinux_search_fs',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir search_dir_perms;
')
@@ -243,6 +254,27 @@ interface(`selinux_dontaudit_search_fs',`
########################################
## <summary>
+## Mount on selinuxfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_mounton_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir mounton;
+')
+
+
+########################################
+## <summary>
## Do not audit attempts to read
## generic selinuxfs entries
## </summary>
@@ -257,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
@@ -278,6 +311,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
@@ -308,21 +342,9 @@ interface(`selinux_set_enforce_mode',`
gen_require(`
type security_t;
attribute can_setenforce;
- bool secure_mode_policyload;
')
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security setenforce;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security setenforce;
- ')
- }
')
########################################
@@ -339,21 +361,13 @@ interface(`selinux_load_policy',`
gen_require(`
type security_t;
attribute can_load_policy;
- bool secure_mode_policyload;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security load_policy;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security load_policy;
- ')
- }
')
########################################
@@ -371,6 +385,8 @@ interface(`selinux_read_policy',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
@@ -433,20 +449,14 @@ interface(`selinux_set_boolean',`
interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
- bool secure_mode_policyload;
+ attribute can_setbool;
')
+ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security setbool;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security setbool;
- ')
- }
')
########################################
@@ -475,20 +485,15 @@ interface(`selinux_set_all_booleans',`
gen_require(`
type security_t;
attribute boolean_type;
- bool secure_mode_policyload;
+ attribute can_setbool;
')
+ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:dir list_dir_perms;
allow $1 boolean_type:file rw_file_perms;
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security setbool;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
- auditallow $1 security_t:security setbool;
- ')
- }
')
########################################
@@ -519,6 +524,8 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
@@ -542,6 +549,8 @@ interface(`selinux_validate_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
@@ -584,6 +593,8 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
@@ -605,6 +616,8 @@ interface(`selinux_compute_create_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
@@ -626,6 +639,8 @@ interface(`selinux_compute_member',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
@@ -655,6 +670,8 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
@@ -675,6 +692,8 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
@@ -696,4 +715,29 @@ interface(`selinux_unconfined',`
')
typeattribute $1 selinux_unconfined_type;
+ selinux_set_all_booleans($1)
+ selinux_load_policy($1)
+ selinux_set_parameters($1)
+ selinux_set_enforce_mode($1)
')
+
+########################################
+## <summary>
+## Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index d70e0b3..99ff2ac 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,14 @@
policy_module(selinux, 1.9.1)
+## <desc>
+## <p>
+## prevent all confined domains from loading policy, setting
+## enforcing mode, and changing boolean values. Set this to true and you
+## have to reboot to set it back
+## </p>
+## </desc>
+gen_bool(secure_mode_policyload,false)
+
########################################
#
# Declarations
@@ -8,6 +17,7 @@ policy_module(selinux, 1.9.1)
attribute boolean_type;
attribute can_load_policy;
attribute can_setenforce;
+attribute can_setbool;
attribute can_setsecparam;
attribute selinux_unconfined_type;
@@ -18,14 +28,15 @@ attribute selinux_unconfined_type;
#
type security_t, boolean_type;
fs_type(security_t)
+files_mountpoint(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+neverallow ~{ can_load_policy } security_t:security load_policy;
+neverallow ~{ can_setenforce } security_t:security setenforce;
+neverallow ~{ can_setsecparam } security_t:security setsecparam;
########################################
#
@@ -41,11 +52,28 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
if(!secure_mode_policyload) {
- allow selinux_unconfined_type boolean_type:file rw_file_perms;
- allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+ allow can_setenforce security_t:security setenforce;
+ dev_getattr_sysfs_fs(can_setenforce)
+ dev_search_sysfs(can_setenforce)
+ allow can_setenforce security_t:dir list_dir_perms;
+ allow can_setenforce security_t:file rw_file_perms;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow can_setenforce security_t:security setenforce;
+ ')
+
+ allow can_load_policy security_t:security load_policy;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow can_load_policy security_t:security load_policy;
+ ')
+
+ allow can_setbool boolean_type:security setbool;
ifdef(`distro_rhel4',`
# needed for systems without audit support
- auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+ auditallow can_setbool boolean_type:security setbool;
')
}
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..6b7eabb 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+ #577012
+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -205,6 +207,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
dev_add_entry_generic_dirs($1)
')
@@ -808,3 +811,368 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
+
+########################################
+## <summary>
+## Create all named devices with the correct label
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_filetrans_all_named_dev',`
+
+ gen_require(`
+ type tape_device_t;
+ type fixed_disk_device_t;
+ type removable_device_t;
+ type scsi_generic_device_t;
+ type fuse_device_t;
+ ')
+
+ dev_filetrans($1, tape_device_t, chr_file, "ht00")
+ dev_filetrans($1, tape_device_t, chr_file, "ht01")
+ dev_filetrans($1, tape_device_t, chr_file, "ht02")
+ dev_filetrans($1, tape_device_t, chr_file, "ht03")
+ dev_filetrans($1, tape_device_t, chr_file, "ht04")
+ dev_filetrans($1, tape_device_t, chr_file, "ht05")
+ dev_filetrans($1, tape_device_t, chr_file, "ht06")
+ dev_filetrans($1, tape_device_t, chr_file, "ht07")
+ dev_filetrans($1, tape_device_t, chr_file, "ht08")
+ dev_filetrans($1, tape_device_t, chr_file, "ht09")
+ dev_filetrans($1, tape_device_t, chr_file, "st00")
+ dev_filetrans($1, tape_device_t, chr_file, "st01")
+ dev_filetrans($1, tape_device_t, chr_file, "st02")
+ dev_filetrans($1, tape_device_t, chr_file, "st03")
+ dev_filetrans($1, tape_device_t, chr_file, "st04")
+ dev_filetrans($1, tape_device_t, chr_file, "st05")
+ dev_filetrans($1, tape_device_t, chr_file, "st06")
+ dev_filetrans($1, tape_device_t, chr_file, "st07")
+ dev_filetrans($1, tape_device_t, chr_file, "st08")
+ dev_filetrans($1, tape_device_t, chr_file, "st09")
+ dev_filetrans($1, tape_device_t, chr_file, "qft0")
+ dev_filetrans($1, tape_device_t, chr_file, "qft1")
+ dev_filetrans($1, tape_device_t, chr_file, "qft2")
+ dev_filetrans($1, tape_device_t, chr_file, "qft3")
+ dev_filetrans($1, tape_device_t, chr_file, "osst00")
+ dev_filetrans($1, tape_device_t, chr_file, "osst01")
+ dev_filetrans($1, tape_device_t, chr_file, "osst02")
+ dev_filetrans($1, tape_device_t, chr_file, "osst03")
+ dev_filetrans($1, tape_device_t, chr_file, "osst04")
+ dev_filetrans($1, tape_device_t, chr_file, "osst05")
+ dev_filetrans($1, tape_device_t, chr_file, "osst06")
+ dev_filetrans($1, tape_device_t, chr_file, "osst07")
+ dev_filetrans($1, tape_device_t, chr_file, "osst08")
+ dev_filetrans($1, tape_device_t, chr_file, "osst09")
+ dev_filetrans($1, tape_device_t, chr_file, "pt0")
+ dev_filetrans($1, tape_device_t, chr_file, "pt1")
+ dev_filetrans($1, tape_device_t, chr_file, "pt2")
+ dev_filetrans($1, tape_device_t, chr_file, "pt3")
+ dev_filetrans($1, tape_device_t, chr_file, "pt4")
+ dev_filetrans($1, tape_device_t, chr_file, "pt5")
+ dev_filetrans($1, tape_device_t, chr_file, "pt6")
+ dev_filetrans($1, tape_device_t, chr_file, "pt7")
+ dev_filetrans($1, tape_device_t, chr_file, "pt8")
+ dev_filetrans($1, tape_device_t, chr_file, "pt9")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
+ dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
+ dev_filetrans($1, removable_device_t, blk_file, "aztcd")
+ dev_filetrans($1, removable_device_t, blk_file, "bpcd")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu0")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu1")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu2")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu3")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu4")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu5")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu6")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu7")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu8")
+ dev_filetrans($1, removable_device_t, blk_file, "cdu9")
+ dev_filetrans($1, removable_device_t, blk_file, "cm200")
+ dev_filetrans($1, removable_device_t, blk_file, "cm201")
+ dev_filetrans($1, removable_device_t, blk_file, "cm202")
+ dev_filetrans($1, removable_device_t, blk_file, "cm203")
+ dev_filetrans($1, removable_device_t, blk_file, "cm204")
+ dev_filetrans($1, removable_device_t, blk_file, "cm205")
+ dev_filetrans($1, removable_device_t, blk_file, "cm206")
+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
+ dev_filetrans($1, removable_device_t, blk_file, "gscd")
+ dev_filetrans($1, removable_device_t, blk_file, "hitcd")
+ dev_filetrans($1, tape_device_t, blk_file, "ht0")
+ dev_filetrans($1, tape_device_t, blk_file, "ht1")
+ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
+ dev_filetrans($1, removable_device_t, blk_file, "mcd")
+ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev0")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev1")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev2")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev3")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev4")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev5")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev6")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev7")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev8")
+ dev_filetrans($1, removable_device_t, chr_file, "megadev9")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
+ dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
+ dev_filetrans($1, removable_device_t, blk_file, "optcd")
+ dev_filetrans($1, removable_device_t, blk_file, "pf0")
+ dev_filetrans($1, removable_device_t, blk_file, "pf1")
+ dev_filetrans($1, removable_device_t, blk_file, "pf2")
+ dev_filetrans($1, removable_device_t, blk_file, "pf3")
+ dev_filetrans($1, removable_device_t, blk_file, "pg0")
+ dev_filetrans($1, removable_device_t, blk_file, "pg1")
+ dev_filetrans($1, removable_device_t, blk_file, "pg2")
+ dev_filetrans($1, removable_device_t, blk_file, "pg3")
+ dev_filetrans($1, removable_device_t, blk_file, "pcd0")
+ dev_filetrans($1, removable_device_t, blk_file, "pcd1")
+ dev_filetrans($1, removable_device_t, blk_file, "pcd2")
+ dev_filetrans($1, removable_device_t, blk_file, "pcd3")
+ dev_filetrans($1, removable_device_t, chr_file, "pg0")
+ dev_filetrans($1, removable_device_t, chr_file, "pg1")
+ dev_filetrans($1, removable_device_t, chr_file, "pg2")
+ dev_filetrans($1, removable_device_t, chr_file, "pg3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
+ dev_filetrans($1, removable_device_t, blk_file, "sr0")
+ dev_filetrans($1, removable_device_t, blk_file, "sr1")
+ dev_filetrans($1, removable_device_t, blk_file, "sr2")
+ dev_filetrans($1, removable_device_t, blk_file, "sr3")
+ dev_filetrans($1, removable_device_t, blk_file, "sr4")
+ dev_filetrans($1, removable_device_t, blk_file, "sr5")
+ dev_filetrans($1, removable_device_t, blk_file, "sr6")
+ dev_filetrans($1, removable_device_t, blk_file, "sr7")
+ dev_filetrans($1, removable_device_t, blk_file, "sr8")
+ dev_filetrans($1, removable_device_t, blk_file, "sr9")
+ dev_filetrans($1, removable_device_t, blk_file, "sjcd")
+ dev_filetrans($1, removable_device_t, blk_file, "sonycd")
+ dev_filetrans($1, tape_device_t, chr_file, "tape0")
+ dev_filetrans($1, tape_device_t, chr_file, "tape1")
+ dev_filetrans($1, tape_device_t, chr_file, "tape2")
+ dev_filetrans($1, tape_device_t, chr_file, "tape3")
+ dev_filetrans($1, tape_device_t, chr_file, "tape4")
+ dev_filetrans($1, tape_device_t, chr_file, "tape5")
+ dev_filetrans($1, tape_device_t, chr_file, "tape6")
+ dev_filetrans($1, tape_device_t, chr_file, "tape7")
+ dev_filetrans($1, tape_device_t, chr_file, "tape8")
+ dev_filetrans($1, tape_device_t, chr_file, "tape9")
+ dev_filetrans($1, fuse_device_t, chr_file, "fuse")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 7d45d15..eeb5889 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -14,11 +14,12 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 01dd2f1..7a8e118 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
########################################
## <summary>
+## Read and write the inherited console, all inherited
+## ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_terms',`
+ gen_require(`
+ attribute ttynode, ptynode;
+ type console_device_t, devpts_t, tty_device_t;
+ ')
+
+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
## Write to the console.
## </summary>
## <param name="domain">
@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`term_use_console',`
gen_require(`
@@ -299,9 +319,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -462,6 +485,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
+## Relabel the /dev/pts directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_ptys_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
+ init_dontaudit_use_fds($1)
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
@@ -860,6 +902,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
+## Read and write all inherited ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
@@ -873,7 +935,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
')
########################################
@@ -921,7 +983,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ init_dontaudit_use_fds($1)
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write USB tty character
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_usb_ttys',`
+ gen_require(`
+ type usbtty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
+ type tty_device_t;
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file getattr;
+ allow $1 tty_device_t:chr_file getattr;
')
########################################
@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
+ type tty_device_t;
')
dev_list_all_dev_nodes($1)
dontaudit $1 ttynode:chr_file getattr;
+ dontaudit $1 tty_device_t:chr_file getattr;
')
########################################
@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file rw_chr_file_perms;
+ allow $1 ttynode:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read and write all inherited ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file rw_inherited_term_perms;
')
########################################
@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
')
########################################
@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
+
+####################################
+## <summary>
+## Getattr on the virtio console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
+
+ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
+')
+
+#####################################
+## <summary>
+## Read from and write to the virtio console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Create all named term devices with the correct label
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_filetrans_all_named_dev',`
+
+gen_require(`
+ type tty_device_t;
+ type bsdpty_device_t;
+ type console_device_t;
+ type ptmx_t;
+ type devtty_t;
+ type virtio_device_t;
+ type devpts_t;
+ type usbtty_device_t;
+')
+
+ dev_filetrans($1, devtty_t, chr_file, "tty")
+ dev_filetrans($1, tty_device_t, chr_file, "tty0")
+ dev_filetrans($1, tty_device_t, chr_file, "tty1")
+ dev_filetrans($1, tty_device_t, chr_file, "tty2")
+ dev_filetrans($1, tty_device_t, chr_file, "tty3")
+ dev_filetrans($1, tty_device_t, chr_file, "tty4")
+ dev_filetrans($1, tty_device_t, chr_file, "tty5")
+ dev_filetrans($1, tty_device_t, chr_file, "tty6")
+ dev_filetrans($1, tty_device_t, chr_file, "tty7")
+ dev_filetrans($1, tty_device_t, chr_file, "tty8")
+ dev_filetrans($1, tty_device_t, chr_file, "tty9")
+ dev_filetrans($1, tty_device_t, chr_file, "tty10")
+ dev_filetrans($1, tty_device_t, chr_file, "tty11")
+ dev_filetrans($1, tty_device_t, chr_file, "tty12")
+ dev_filetrans($1, tty_device_t, chr_file, "tty13")
+ dev_filetrans($1, tty_device_t, chr_file, "tty14")
+ dev_filetrans($1, tty_device_t, chr_file, "tty15")
+ dev_filetrans($1, tty_device_t, chr_file, "tty16")
+ dev_filetrans($1, tty_device_t, chr_file, "tty17")
+ dev_filetrans($1, tty_device_t, chr_file, "tty18")
+ dev_filetrans($1, tty_device_t, chr_file, "tty19")
+ dev_filetrans($1, tty_device_t, chr_file, "tty20")
+ dev_filetrans($1, tty_device_t, chr_file, "tty21")
+ dev_filetrans($1, tty_device_t, chr_file, "tty22")
+ dev_filetrans($1, tty_device_t, chr_file, "tty23")
+ dev_filetrans($1, tty_device_t, chr_file, "tty24")
+ dev_filetrans($1, tty_device_t, chr_file, "tty25")
+ dev_filetrans($1, tty_device_t, chr_file, "tty26")
+ dev_filetrans($1, tty_device_t, chr_file, "tty27")
+ dev_filetrans($1, tty_device_t, chr_file, "tty28")
+ dev_filetrans($1, tty_device_t, chr_file, "tty29")
+ dev_filetrans($1, tty_device_t, chr_file, "tty30")
+ dev_filetrans($1, tty_device_t, chr_file, "tty31")
+ dev_filetrans($1, tty_device_t, chr_file, "tty32")
+ dev_filetrans($1, tty_device_t, chr_file, "tty33")
+ dev_filetrans($1, tty_device_t, chr_file, "tty34")
+ dev_filetrans($1, tty_device_t, chr_file, "tty35")
+ dev_filetrans($1, tty_device_t, chr_file, "tty36")
+ dev_filetrans($1, tty_device_t, chr_file, "tty37")
+ dev_filetrans($1, tty_device_t, chr_file, "tty38")
+ dev_filetrans($1, tty_device_t, chr_file, "tty39")
+ dev_filetrans($1, tty_device_t, chr_file, "tty40")
+ dev_filetrans($1, tty_device_t, chr_file, "tty41")
+ dev_filetrans($1, tty_device_t, chr_file, "tty42")
+ dev_filetrans($1, tty_device_t, chr_file, "tty43")
+ dev_filetrans($1, tty_device_t, chr_file, "tty44")
+ dev_filetrans($1, tty_device_t, chr_file, "tty45")
+ dev_filetrans($1, tty_device_t, chr_file, "tty46")
+ dev_filetrans($1, tty_device_t, chr_file, "tty47")
+ dev_filetrans($1, tty_device_t, chr_file, "tty48")
+ dev_filetrans($1, tty_device_t, chr_file, "tty49")
+ dev_filetrans($1, tty_device_t, chr_file, "tty50")
+ dev_filetrans($1, tty_device_t, chr_file, "tty51")
+ dev_filetrans($1, tty_device_t, chr_file, "tty52")
+ dev_filetrans($1, tty_device_t, chr_file, "tty53")
+ dev_filetrans($1, tty_device_t, chr_file, "tty54")
+ dev_filetrans($1, tty_device_t, chr_file, "tty55")
+ dev_filetrans($1, tty_device_t, chr_file, "tty56")
+ dev_filetrans($1, tty_device_t, chr_file, "tty57")
+ dev_filetrans($1, tty_device_t, chr_file, "tty58")
+ dev_filetrans($1, tty_device_t, chr_file, "tty59")
+ dev_filetrans($1, tty_device_t, chr_file, "tty60")
+ dev_filetrans($1, tty_device_t, chr_file, "tty61")
+ dev_filetrans($1, tty_device_t, chr_file, "tty62")
+ dev_filetrans($1, tty_device_t, chr_file, "tty63")
+ dev_filetrans($1, tty_device_t, chr_file, "tty64")
+ dev_filetrans($1, tty_device_t, chr_file, "tty65")
+ dev_filetrans($1, tty_device_t, chr_file, "tty66")
+ dev_filetrans($1, tty_device_t, chr_file, "tty67")
+ dev_filetrans($1, tty_device_t, chr_file, "tty68")
+ dev_filetrans($1, tty_device_t, chr_file, "tty69")
+ dev_filetrans($1, tty_device_t, chr_file, "tty70")
+ dev_filetrans($1, tty_device_t, chr_file, "tty71")
+ dev_filetrans($1, tty_device_t, chr_file, "tty72")
+ dev_filetrans($1, tty_device_t, chr_file, "tty73")
+ dev_filetrans($1, tty_device_t, chr_file, "tty74")
+ dev_filetrans($1, tty_device_t, chr_file, "tty75")
+ dev_filetrans($1, tty_device_t, chr_file, "tty76")
+ dev_filetrans($1, tty_device_t, chr_file, "tty77")
+ dev_filetrans($1, tty_device_t, chr_file, "tty78")
+ dev_filetrans($1, tty_device_t, chr_file, "tty79")
+ dev_filetrans($1, tty_device_t, chr_file, "tty80")
+ dev_filetrans($1, tty_device_t, chr_file, "tty81")
+ dev_filetrans($1, tty_device_t, chr_file, "tty82")
+ dev_filetrans($1, tty_device_t, chr_file, "tty83")
+ dev_filetrans($1, tty_device_t, chr_file, "tty84")
+ dev_filetrans($1, tty_device_t, chr_file, "tty85")
+ dev_filetrans($1, tty_device_t, chr_file, "tty86")
+ dev_filetrans($1, tty_device_t, chr_file, "tty87")
+ dev_filetrans($1, tty_device_t, chr_file, "tty88")
+ dev_filetrans($1, tty_device_t, chr_file, "tty89")
+ dev_filetrans($1, tty_device_t, chr_file, "tty90")
+ dev_filetrans($1, tty_device_t, chr_file, "tty91")
+ dev_filetrans($1, tty_device_t, chr_file, "tty92")
+ dev_filetrans($1, tty_device_t, chr_file, "tty93")
+ dev_filetrans($1, tty_device_t, chr_file, "tty94")
+ dev_filetrans($1, tty_device_t, chr_file, "tty95")
+ dev_filetrans($1, tty_device_t, chr_file, "tty96")
+ dev_filetrans($1, tty_device_t, chr_file, "tty97")
+ dev_filetrans($1, tty_device_t, chr_file, "tty98")
+ dev_filetrans($1, tty_device_t, chr_file, "tty99")
+ dev_filetrans($1, tty_device_t, chr_file, "pty")
+ dev_filetrans($1, tty_device_t, chr_file, "pty0")
+ dev_filetrans($1, tty_device_t, chr_file, "pty1")
+ dev_filetrans($1, tty_device_t, chr_file, "pty2")
+ dev_filetrans($1, tty_device_t, chr_file, "pty3")
+ dev_filetrans($1, tty_device_t, chr_file, "pty4")
+ dev_filetrans($1, tty_device_t, chr_file, "pty5")
+ dev_filetrans($1, tty_device_t, chr_file, "pty6")
+ dev_filetrans($1, tty_device_t, chr_file, "pty7")
+ dev_filetrans($1, tty_device_t, chr_file, "pty8")
+ dev_filetrans($1, tty_device_t, chr_file, "pty9")
+ dev_filetrans($1, tty_device_t, chr_file, "pty10")
+ dev_filetrans($1, tty_device_t, chr_file, "pty11")
+ dev_filetrans($1, tty_device_t, chr_file, "pty12")
+ dev_filetrans($1, tty_device_t, chr_file, "pty13")
+ dev_filetrans($1, tty_device_t, chr_file, "pty14")
+ dev_filetrans($1, tty_device_t, chr_file, "pty15")
+ dev_filetrans($1, tty_device_t, chr_file, "pty16")
+ dev_filetrans($1, tty_device_t, chr_file, "pty17")
+ dev_filetrans($1, tty_device_t, chr_file, "pty18")
+ dev_filetrans($1, tty_device_t, chr_file, "pty19")
+ dev_filetrans($1, tty_device_t, chr_file, "pty20")
+ dev_filetrans($1, tty_device_t, chr_file, "pty21")
+ dev_filetrans($1, tty_device_t, chr_file, "pty22")
+ dev_filetrans($1, tty_device_t, chr_file, "pty23")
+ dev_filetrans($1, tty_device_t, chr_file, "pty24")
+ dev_filetrans($1, tty_device_t, chr_file, "pty25")
+ dev_filetrans($1, tty_device_t, chr_file, "pty26")
+ dev_filetrans($1, tty_device_t, chr_file, "pty27")
+ dev_filetrans($1, tty_device_t, chr_file, "pty28")
+ dev_filetrans($1, tty_device_t, chr_file, "pty29")
+ dev_filetrans($1, tty_device_t, chr_file, "pty30")
+ dev_filetrans($1, tty_device_t, chr_file, "pty31")
+ dev_filetrans($1, tty_device_t, chr_file, "pty32")
+ dev_filetrans($1, tty_device_t, chr_file, "pty33")
+ dev_filetrans($1, tty_device_t, chr_file, "pty34")
+ dev_filetrans($1, tty_device_t, chr_file, "pty35")
+ dev_filetrans($1, tty_device_t, chr_file, "pty36")
+ dev_filetrans($1, tty_device_t, chr_file, "pty37")
+ dev_filetrans($1, tty_device_t, chr_file, "pty38")
+ dev_filetrans($1, tty_device_t, chr_file, "pty39")
+ dev_filetrans($1, tty_device_t, chr_file, "pty40")
+ dev_filetrans($1, tty_device_t, chr_file, "pty41")
+ dev_filetrans($1, tty_device_t, chr_file, "pty42")
+ dev_filetrans($1, tty_device_t, chr_file, "pty43")
+ dev_filetrans($1, tty_device_t, chr_file, "pty44")
+ dev_filetrans($1, tty_device_t, chr_file, "pty45")
+ dev_filetrans($1, tty_device_t, chr_file, "pty46")
+ dev_filetrans($1, tty_device_t, chr_file, "pty47")
+ dev_filetrans($1, tty_device_t, chr_file, "pty48")
+ dev_filetrans($1, tty_device_t, chr_file, "pty49")
+ dev_filetrans($1, tty_device_t, chr_file, "pty50")
+ dev_filetrans($1, tty_device_t, chr_file, "pty51")
+ dev_filetrans($1, tty_device_t, chr_file, "pty52")
+ dev_filetrans($1, tty_device_t, chr_file, "pty53")
+ dev_filetrans($1, tty_device_t, chr_file, "pty54")
+ dev_filetrans($1, tty_device_t, chr_file, "pty55")
+ dev_filetrans($1, tty_device_t, chr_file, "pty56")
+ dev_filetrans($1, tty_device_t, chr_file, "pty57")
+ dev_filetrans($1, tty_device_t, chr_file, "pty58")
+ dev_filetrans($1, tty_device_t, chr_file, "pty59")
+ dev_filetrans($1, tty_device_t, chr_file, "pty60")
+ dev_filetrans($1, tty_device_t, chr_file, "pty61")
+ dev_filetrans($1, tty_device_t, chr_file, "pty62")
+ dev_filetrans($1, tty_device_t, chr_file, "pty63")
+ dev_filetrans($1, tty_device_t, chr_file, "pty64")
+ dev_filetrans($1, tty_device_t, chr_file, "pty65")
+ dev_filetrans($1, tty_device_t, chr_file, "pty66")
+ dev_filetrans($1, tty_device_t, chr_file, "pty67")
+ dev_filetrans($1, tty_device_t, chr_file, "pty68")
+ dev_filetrans($1, tty_device_t, chr_file, "pty69")
+ dev_filetrans($1, tty_device_t, chr_file, "pty70")
+ dev_filetrans($1, tty_device_t, chr_file, "pty71")
+ dev_filetrans($1, tty_device_t, chr_file, "pty72")
+ dev_filetrans($1, tty_device_t, chr_file, "pty73")
+ dev_filetrans($1, tty_device_t, chr_file, "pty74")
+ dev_filetrans($1, tty_device_t, chr_file, "pty75")
+ dev_filetrans($1, tty_device_t, chr_file, "pty76")
+ dev_filetrans($1, tty_device_t, chr_file, "pty77")
+ dev_filetrans($1, tty_device_t, chr_file, "pty78")
+ dev_filetrans($1, tty_device_t, chr_file, "pty79")
+ dev_filetrans($1, tty_device_t, chr_file, "pty80")
+ dev_filetrans($1, tty_device_t, chr_file, "pty81")
+ dev_filetrans($1, tty_device_t, chr_file, "pty82")
+ dev_filetrans($1, tty_device_t, chr_file, "pty83")
+ dev_filetrans($1, tty_device_t, chr_file, "pty84")
+ dev_filetrans($1, tty_device_t, chr_file, "pty85")
+ dev_filetrans($1, tty_device_t, chr_file, "pty86")
+ dev_filetrans($1, tty_device_t, chr_file, "pty87")
+ dev_filetrans($1, tty_device_t, chr_file, "pty88")
+ dev_filetrans($1, tty_device_t, chr_file, "pty89")
+ dev_filetrans($1, tty_device_t, chr_file, "pty90")
+ dev_filetrans($1, tty_device_t, chr_file, "pty91")
+ dev_filetrans($1, tty_device_t, chr_file, "pty92")
+ dev_filetrans($1, tty_device_t, chr_file, "pty93")
+ dev_filetrans($1, tty_device_t, chr_file, "pty94")
+ dev_filetrans($1, tty_device_t, chr_file, "pty95")
+ dev_filetrans($1, tty_device_t, chr_file, "pty96")
+ dev_filetrans($1, tty_device_t, chr_file, "pty97")
+ dev_filetrans($1, tty_device_t, chr_file, "pty98")
+ dev_filetrans($1, tty_device_t, chr_file, "pty99")
+ dev_filetrans($1, tty_device_t, chr_file, "adb0")
+ dev_filetrans($1, tty_device_t, chr_file, "adb1")
+ dev_filetrans($1, tty_device_t, chr_file, "adb2")
+ dev_filetrans($1, tty_device_t, chr_file, "adb3")
+ dev_filetrans($1, tty_device_t, chr_file, "adb4")
+ dev_filetrans($1, tty_device_t, chr_file, "adb5")
+ dev_filetrans($1, tty_device_t, chr_file, "adb6")
+ dev_filetrans($1, tty_device_t, chr_file, "adb7")
+ dev_filetrans($1, tty_device_t, chr_file, "adb8")
+ dev_filetrans($1, tty_device_t, chr_file, "adb9")
+ dev_filetrans($1, tty_device_t, chr_file, "capi0")
+ dev_filetrans($1, tty_device_t, chr_file, "capi1")
+ dev_filetrans($1, tty_device_t, chr_file, "capi2")
+ dev_filetrans($1, tty_device_t, chr_file, "capi3")
+ dev_filetrans($1, tty_device_t, chr_file, "capi4")
+ dev_filetrans($1, tty_device_t, chr_file, "capi5")
+ dev_filetrans($1, tty_device_t, chr_file, "capi6")
+ dev_filetrans($1, tty_device_t, chr_file, "capi7")
+ dev_filetrans($1, tty_device_t, chr_file, "capi8")
+ dev_filetrans($1, tty_device_t, chr_file, "capi9")
+ dev_filetrans($1, console_device_t, chr_file, "console")
+ dev_filetrans($1, tty_device_t, chr_file, "cu0")
+ dev_filetrans($1, tty_device_t, chr_file, "cu1")
+ dev_filetrans($1, tty_device_t, chr_file, "cu2")
+ dev_filetrans($1, tty_device_t, chr_file, "cu3")
+ dev_filetrans($1, tty_device_t, chr_file, "cu4")
+ dev_filetrans($1, tty_device_t, chr_file, "cu5")
+ dev_filetrans($1, tty_device_t, chr_file, "cu6")
+ dev_filetrans($1, tty_device_t, chr_file, "cu7")
+ dev_filetrans($1, tty_device_t, chr_file, "cu8")
+ dev_filetrans($1, tty_device_t, chr_file, "cu9")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
+ dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
+ dev_filetrans($1, tty_device_t, chr_file, "vcsa")
+ dev_filetrans($1, tty_device_t, chr_file, "vcsb")
+ dev_filetrans($1, tty_device_t, chr_file, "vcsc")
+ dev_filetrans($1, tty_device_t, chr_file, "vcsd")
+ dev_filetrans($1, tty_device_t, chr_file, "vcse")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc0")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc1")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc2")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc3")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc4")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc5")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc6")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc7")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc8")
+ dev_filetrans($1, tty_device_t, chr_file, "hvc9")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
+ dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
+ dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn0")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn1")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn2")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn3")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn4")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn5")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn6")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
+ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
+ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr0")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr1")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr2")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr3")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr4")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr5")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr6")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr7")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr8")
+ dev_filetrans($1, tty_device_t, chr_file, "slamr9")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
+ dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
+ dev_filetrans($1, devpts_t, dir, "pts")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc0")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc1")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc2")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc3")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc4")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc5")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc6")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 2241b7d..b0ab494 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
#
# devtty_t is the type of /dev/tty.
@@ -56,3 +57,9 @@ dev_node(tty_device_t)
#
type usbtty_device_t, serial_device;
dev_node(usbtty_device_t)
+
+#
+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
+#
+type virtio_device_t, serial_device;
+dev_node(virtio_device_t)
diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
new file mode 100644
index 0000000..f310b9d
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.fc
@@ -0,0 +1 @@
+# No unlabelednet file contexts.
diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
new file mode 100644
index 0000000..0ce0470
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.if
@@ -0,0 +1 @@
+## <summary> Policy for allowing confined domains to use unlabeled_t packets</summary>
diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
new file mode 100644
index 0000000..e1ebd1a
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.te
@@ -0,0 +1,3 @@
+policy_module(unlabelednet, 1.0)
+
+corenet_enable_unlabeled_packets()
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 0faef68..4264c9c 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
+selinux_read_policy(auditadm_t)
+
logging_send_syslog_msg(auditadm_t)
logging_read_generic_logs(auditadm_t)
logging_manage_audit_log(auditadm_t)
logging_manage_audit_config(auditadm_t)
logging_run_auditctl(auditadm_t, auditadm_r)
logging_run_auditd(auditadm_t, auditadm_r)
+logging_stream_connect_syslog(auditadm_t)
seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
optional_policy(`
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 1875064..e9c9277 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
@@ -58,3 +59,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 1cb7311..1de82b2 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -9,9 +9,15 @@ role guest_r;
userdom_restricted_user_template(guest)
+kernel_read_system_state(guest_t)
+
########################################
#
# Local policy
#
-#gen_user(guest_u,, guest_r, s0, s0)
+optional_policy(`
+ apache_role(guest_r, guest_t)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index be4de58..7e8b6ec 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
userdom_unpriv_user_template(secadm)
userdom_security_admin_template(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
########################################
#
@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
-auth_relabel_all_files_except_shadow(secadm_t)
-auth_relabel_shadow(secadm_t)
+files_relabel_all_files(secadm_t)
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..bfabe3f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
+
+# needed for sandbox
+allow staff_t self:process setexec;
########################################
#
# Local policy
#
+kernel_read_ring_buffer(staff_usertype)
+kernel_getattr_core_if(staff_usertype)
+kernel_getattr_message_if(staff_usertype)
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+fs_read_hugetlbfs_files(staff_usertype)
+
+dev_read_cpuid(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+storage_read_scsi_generic(staff_t)
+storage_write_scsi_generic(staff_t)
+
+term_use_unallocated_ttys(staff_usertype)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
+miscfiles_read_hwdata(staff_usertype)
+
+ifndef(`enable_mls',`
+ selinux_read_policy(staff_t)
+')
+
+optional_policy(`
+ abrt_cache_read(staff_t)
+')
+
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -27,19 +70,113 @@ optional_policy(`
')
optional_policy(`
+ accountsd_dbus_chat(staff_t)
+ accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ chrome_role(staff_r, staff_usertype)
+')
+
+optional_policy(`
+ colord_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ gnome_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ irc_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+ mock_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ logadm_role_change(staff_r)
+')
+
+optional_policy(`
+ mozilla_run_plugin(staff_usertype, staff_r)
+')
+
+optional_policy(`
+ modutils_read_module_config(staff_usertype)
+ modutils_read_module_deps(staff_usertype)
+')
+
+optional_policy(`
+ netutils_run_ping(staff_t, staff_r)
+ netutils_run_traceroute(staff_t, staff_r)
+ netutils_signal_ping(staff_t)
+ netutils_kill_ping(staff_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
+ mta_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ mysql_exec(staff_t)
+')
+
+optional_policy(`
+ polipo_role(staff_r, staff_t)
+ polipo_named_filetrans_cache_home_dirs(staff_t)
+ polipo_named_filetrans_config_home_files(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
optional_policy(`
+ qemu_run(staff_t, staff_r)
+ virt_manage_tmpfs_files(staff_t)
+ virt_filetrans_home_content(staff_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(staff_usertype)
+')
+
+optional_policy(`
secadm_role_change(staff_r)
')
optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
+ sandbox_transition(staff_t, staff_r)
')
optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
+ screen_role_template(staff, staff_r, staff_t)
')
optional_policy(`
@@ -48,10 +185,48 @@ optional_policy(`
')
optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
+ ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
+#optional_policy(`
+# telepathy_dbus_session_role(staff_r, staff_t)
+#')
+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
+ unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
+
+optional_policy(`
vlock_run(staff_t, staff_r)
')
optional_policy(`
+ vnstatd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ webadm_role_change(staff_r)
+')
+
+optional_policy(`
xserver_role(staff_r, staff_t)
')
@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- gnome_role(staff_r, staff_t)
- ')
-
- optional_policy(`
gpg_role(staff_r, staff_t)
')
optional_policy(`
- irc_role(staff_r, staff_t)
- ')
-
- optional_policy(`
java_role(staff_r, staff_t)
')
@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- mta_role(staff_r, staff_t)
- ')
-
- optional_policy(`
pyzor_role(staff_r, staff_t)
')
@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
- ')
-
- optional_policy(`
spamassassin_role(staff_r, staff_t)
')
@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e14b961..7cd6d4f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,51 @@ ifndef(`enable_mls',`
#
# Local policy
#
+kernel_read_fs_sysctls(sysadm_t)
corecmd_exec_shell(sysadm_t)
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
+
+dev_filetrans_all_named_dev(sysadm_t)
+storage_filetrans_all_named_dev(sysadm_t)
+term_filetrans_all_named_dev(sysadm_t)
+
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+
+storage_setattr_fixed_disk_dev(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
+application_exec(sysadm_t)
+
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+miscfiles_read_hwdata(sysadm_t)
+
+sysnet_filetrans_named_content(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_user_tmp_dirs(sysadm_t)
+userdom_manage_user_tmp_files(sysadm_t)
+userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
+')
ifdef(`direct_sysadm_daemon',`
optional_policy(`
@@ -55,6 +86,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
+ logging_stream_connect_syslog(sysadm_t)
')
tunable_policy(`allow_ptrace',`
@@ -67,9 +99,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
+ apache_filetrans_home_content(sysadm_t)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -98,6 +130,10 @@ optional_policy(`
')
optional_policy(`
+ certmonger_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
')
@@ -110,11 +146,19 @@ optional_policy(`
')
optional_policy(`
+ cron_admin_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
consoletype_run(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
@@ -128,6 +172,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
dmesg_exec(sysadm_t)
')
@@ -163,6 +211,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(sysadm_t)
+ ')
')
optional_policy(`
@@ -170,15 +225,20 @@ optional_policy(`
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
+ irc_role(sysadm_r, sysadm_t)
')
optional_policy(`
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -198,22 +258,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
+ modutils_read_module_deps(sysadm_t)
')
optional_policy(`
mount_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
+ mount_run_showmount(sysadm_t, sysadm_r)
')
optional_policy(`
mta_role(sysadm_r, sysadm_t)
+ # this is defined in userdom_common_user_template
+ #mta_filetrans_home_content(sysadm_t)
+ mta_filetrans_admin_home_content(sysadm_t)
')
optional_policy(`
@@ -225,25 +282,47 @@ optional_policy(`
')
optional_policy(`
+ ncftool_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
')
optional_policy(`
+ networkmanager_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
')
optional_policy(`
+ nx_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
oav_run_update(sysadm_t, sysadm_r)
')
optional_policy(`
+ openvpn_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
optional_policy(`
+ polipo_role(sysadm_r, sysadm_t)
+ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
+ polipo_named_filetrans_admin_config_home_files(sysadm_t)
+')
+
+optional_policy(`
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
@@ -253,19 +332,19 @@ optional_policy(`
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
+ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
+ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
+ quota_run(sysadm_t, sysadm_r)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
+ raid_domtrans_mdadm(sysadm_t)
')
optional_policy(`
@@ -274,10 +353,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -302,12 +378,18 @@ optional_policy(`
')
optional_policy(`
+ setroubleshoot_stream_connect(sysadm_t)
+ setroubleshoot_dbus_chat(sysadm_t)
+ setroubleshoot_dbus_chat_fixit(sysadm_t)
+')
+
+optional_policy(`
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
')
optional_policy(`
- spamassassin_role(sysadm_r, sysadm_t)
+ shutdown_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -332,7 +414,10 @@ optional_policy(`
')
optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
+ systemd_passwd_agent_run(sysadm_t, sysadm_r)
+ systemd_config_all_services(sysadm_t)
+ systemd_manage_all_unit_files(sysadm_t)
+ systemd_manage_all_unit_lnk_files(sysadm_t)
')
optional_policy(`
@@ -343,19 +428,15 @@ optional_policy(`
')
optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tzdata_domtrans(sysadm_t)
')
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
+ unconfined_domtrans(sysadm_t)
')
optional_policy(`
- unconfined_domtrans(sysadm_t)
+ udev_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -367,45 +448,45 @@ optional_policy(`
')
optional_policy(`
- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
')
optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
')
optional_policy(`
- vpn_run(sysadm_t, sysadm_r)
+ vlock_run(sysadm_t, sysadm_r)
')
optional_policy(`
- webalizer_run(sysadm_t, sysadm_r)
+ vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
+ webalizer_run(sysadm_t, sysadm_r)
')
optional_policy(`
- vlock_run(sysadm_t, sysadm_r)
+ xserver_role(sysadm_r, sysadm_t)
')
optional_policy(`
- xserver_role(sysadm_r, sysadm_t)
+ yam_run(sysadm_t, sysadm_r)
')
optional_policy(`
- yam_run(sysadm_t, sysadm_r)
+ zebra_stream_connect(sysadm_t)
')
ifndef(`distro_redhat',`
optional_policy(`
+ apache_role(sysadm_r, sysadm_t)
+ ')
+ optional_policy(`
auth_role(sysadm_r, sysadm_t)
')
@@ -418,10 +499,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- cron_admin_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -439,6 +516,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
+ gnome_filetrans_admin_home_content(sysadm_t)
')
optional_policy(`
@@ -446,11 +524,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mock_admin(sysadm_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
')
-')
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
+')
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
index 0000000..0e8654b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
index 0000000..8b2cdf3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,687 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
+## <summary>
+## Change from the unconfineduser role.
+## </summary>
+## <desc>
+## <p>
+## Change from the unconfineduser role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change_to',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow unconfined_r $1;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ ')
+
+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+## <summary>
+## Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+ gen_require(`
+ attribute unconfined_login_domain;
+ ')
+ typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_run_to',`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+ role unconfined_r types $1;
+ userdom_use_user_terminals($1)
+')
+
+########################################
+## <summary>
+## Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signull',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_signull',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_signal',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signal;
+')
+
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+## Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+## Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Connect to the unconfined domain using
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom in ldconfig.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+## Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
+## <summary>
+## execute the execmem applications
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_exec',`
+
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Change to the unconfined role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow $1 unconfined_r;
+')
+
+########################################
+## <summary>
+## Allow domain to attach to TUN devices created by unconfined_t users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_attach_tun_iface',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..fcc8949
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+## <desc>
+## <p>
+## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+## <desc>
+## <p>
+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+## </p>
+## </desc>
+gen_tunable(unconfined_chrome_sandbox_transition, false)
+
+## <desc>
+## <p>
+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+## </p>
+## </desc>
+gen_tunable(unconfined_mozilla_plugin_transition, false)
+
+## <desc>
+## <p>
+## Allow vidio playing tools to tun unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
+
+## <desc>
+## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+kernel_rw_unlabeled_socket(unconfined_t)
+kernel_rw_unlabeled_rawip_socket(unconfined_t)
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
+dev_filetrans_all_named_dev(unconfined_t)
+storage_filetrans_all_named_dev(unconfined_t)
+term_filetrans_all_named_dev(unconfined_t)
+
+authlogin_filetrans_named_content(unconfined_t)
+
+sysnet_filetrans_named_content(unconfined_t)
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(unconfined_t)
+')
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+systemd_config_all_services(unconfined_t)
+
+seutil_run_loadpolicy(unconfined_t, unconfined_r)
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain_noaudit(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(unconfined_usertype)
+')
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
+
+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans(unconfined_usertype)
+ nsplugin_domtrans_config(unconfined_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ avahi_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ certmonger_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
+ devicekit_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ networkmanager_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role(unconfined_r, unconfined_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(unconfined_usertype)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
+ ')
+
+ optional_policy(`
+ sandbox_transition(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ shutdown_run(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
+ tzdata_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_usertype)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ accountsd_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ alsa_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
+ apache_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ chrome_role_notrans(unconfined_r, unconfined_usertype)
+
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
+ chrome_domtrans_sandbox(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+ ')
+
+ init_dbus_chat(unconfined_usertype)
+ init_dbus_chat_script(unconfined_usertype)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat_config(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
+ gnome_filetrans_admin_home_content(unconfined_usertype)
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(unconfined_usertype)
+')
+
+optional_policy(`
+ dnsmasq_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ kerberos_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+# mock_role(unconfined_r, unconfined_t)
+#')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ mono_role_template(unconfined, unconfined_r, unconfined_t)
+ unconfined_domain_noaudit(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
+')
+
+
+optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
+ mozilla_domtrans_plugin(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ mta_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ nx_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ pulseaudio_filetrans_admin_home_content(unconfined_usertype)
+')
+
+optional_policy(`
+ quota_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ optional_policy(`
+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+ ')
+
+ samba_role_notrans(unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+ virt_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ wine_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+ xserver_manage_home_fonts(unconfined_t)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+optional_policy(`
+ execmem_role_template(unconfined, unconfined_r, unconfined_t)
+ typealias unconfined_execmem_t alias execmem_t;
+ typealias unconfined_execmem_t alias unconfined_openoffice_t;
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
+ role system_r types unconfined_execmem_t;
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ tunable_policy(`unconfined_login',`
+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+')
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e5bfdd4..e5a8559 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,93 @@ role user_r;
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
+fs_read_hugetlbfs_files(user_usertype)
+
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(user_usertype)
+')
+
+optional_policy(`
+ abrt_cache_read(user_t)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
optional_policy(`
+ colord_dbus_chat(user_t)
+')
+
+optional_policy(`
+ chrome_role(user_r, user_usertype)
+')
+
+optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
+optional_policy(`
+ irc_role(user_r, user_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
+ mozilla_run_plugin(user_usertype, user_r)
+')
+
+optional_policy(`
+ mta_role(user_r, user_t)
+')
+
+optional_policy(`
+ netutils_run_ping_cond(user_t, user_r)
+ netutils_run_traceroute_cond(user_t, user_r)
+')
+
+optional_policy(`
+ polipo_role(user_r, user_t)
+ polipo_named_filetrans_cache_home_dirs(user_t)
+ polipo_named_filetrans_config_home_files(user_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(user_t)
+')
+
+optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
+#optional_policy(`
+# telepathy_dbus_session_role(user_r, user_t)
+#')
+
+optional_policy(`
vlock_run(user_t, user_r)
')
@@ -62,19 +140,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- gnome_role(user_r, user_t)
- ')
-
- optional_policy(`
gpg_role(user_r, user_t)
')
optional_policy(`
- hadoop_role(user_r, user_t)
- ')
-
- optional_policy(`
- irc_role(user_r, user_t)
+ hadoop_role(user_r, user_t)
')
optional_policy(`
@@ -98,10 +168,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- mta_role(user_r, user_t)
- ')
-
- optional_policy(`
postgresql_role(user_r, user_t)
')
@@ -118,11 +184,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- spamassassin_role(user_r, user_t)
- ')
-
- optional_policy(`
- ssh_role_template(user, user_r, user_t)
+ spamassassin_role(user_r, user_t)
')
optional_policy(`
@@ -157,3 +219,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0ecc786..dbf2710 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f..1cd57fd 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
## <desc>
## <p>
-## Allow xguest to configure Network Manager
+## Allow xguest users to configure Network Manager and connect to apache ports
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)
## <desc>
## <p>
-## Allow xguest to use blue tooth devices
+## Allow xguest users to use blue tooth devices
## </p>
## </desc>
gen_tunable(xguest_use_bluetooth, true)
@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
########################################
#
# Local policy
#
-
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
@@ -49,11 +49,23 @@ ifndef(`enable_mls',`
')
')
+optional_policy(`
+ # Dontaudit fusermount
+ mount_dontaudit_exec_fusermount(xguest_t)
+')
+
+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
+')
+
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
-
+ kernel_request_load_module(xguest_t)
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
@@ -62,10 +74,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
-
- init_read_utmp(xguest_t)
')
')
@@ -76,23 +87,102 @@ optional_policy(`
')
optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
+optional_policy(`
hal_dbus_chat(xguest_t)
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mozilla_run_plugin(xguest_usertype, xguest_r)
+')
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
+')
+
+optional_policy(`
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
')
optional_policy(`
tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_usertype)
+
networkmanager_dbus_chat(xguest_t)
- corenet_tcp_connect_pulseaudio_port(xguest_t)
- corenet_tcp_connect_ipp_port(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+ corenet_all_recvfrom_unlabeled(xguest_usertype)
+ corenet_all_recvfrom_netlabel(xguest_usertype)
+ corenet_tcp_sendrecv_generic_if(xguest_usertype)
+ corenet_raw_sendrecv_generic_if(xguest_usertype)
+ corenet_tcp_sendrecv_generic_node(xguest_usertype)
+ corenet_raw_sendrecv_generic_node(xguest_usertype)
+ corenet_tcp_sendrecv_http_port(xguest_usertype)
+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
+ corenet_tcp_sendrecv_squid_port(xguest_usertype)
+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+ corenet_tcp_connect_http_port(xguest_usertype)
+ corenet_tcp_connect_http_cache_port(xguest_usertype)
+ corenet_tcp_connect_squid_port(xguest_usertype)
+ corenet_tcp_connect_flash_port(xguest_usertype)
+ corenet_tcp_connect_ftp_port(xguest_usertype)
+ corenet_tcp_connect_ipp_port(xguest_usertype)
+ corenet_tcp_connect_generic_port(xguest_usertype)
+ corenet_tcp_connect_soundd_port(xguest_usertype)
+ corenet_sendrecv_http_client_packets(xguest_usertype)
+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
+ corenet_sendrecv_squid_client_packets(xguest_usertype)
+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
+ corenet_sendrecv_generic_client_packets(xguest_usertype)
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ ')
+
+ #optional_policy(`
+ # telepathy_dbus_session_role(xguest_r, xguest_t)
+ #')
+')
+
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
index 1bd5812..0d7d8d1 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
@@ -1,13 +1,13 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
@@ -15,6 +15,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+# ABRT retrace server
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+
+# cjp: new version
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c5..bfb68b2 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
type abrt_t;
')
+ kernel_search_proc($1)
ps_process_pattern($1, abrt_t)
')
@@ -160,8 +161,44 @@ interface(`abrt_run_helper',`
########################################
## <summary>
-## Send and receive messages from
-## abrt over dbus.
+## Read abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_cache_read',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+## Append abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_cache_append',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+## Manage abrt cache
## </summary>
## <param name="domain">
## <summary>
@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
+########################################
+## <summary>
+## Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
#####################################
## <summary>
## All of the rules required to administrate
@@ -286,18 +341,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, abrt_etc_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
- files_search_var($1)
+ files_list_var($1)
admin_pattern($1, abrt_var_cache_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
')
+
+####################################
+## <summary>
+## Execute abrt-retrace in the abrt-retrace domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`abrt_domtrans_retrace_worker',`
+ gen_require(`
+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+## <summary>
+## Manage abrt retrace server cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_manage_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
+## <summary>
+## Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_spool_retrace',`
+ gen_require(`
+ type abrt_retrace_spool_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+
+#####################################
+## <summary>
+## Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_cache_retrace',`
+ gen_require(`
+ type abrt_retrace_cache_t;
+ ')
+
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write abrt sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`abrt_dontaudit_write_sock_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 30861ec..bd5ff95 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
# Declarations
#
-type abrt_t;
+## <desc>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
+## <desc>
+## <p>
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
+## </p>
+## </desc>
+gen_tunable(abrt_handle_event, false)
+
+attribute abrt_domain;
+
+type abrt_t, abrt_domain;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
+type abrt_dump_oops_t, abrt_domain;
+type abrt_dump_oops_exec_t;
+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
+# type for abrt-handle-event to handle
+# ABRT event scripts
+type abrt_handle_event_t, abrt_domain;
+type abrt_handle_event_exec_t;
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
+role system_r types abrt_handle_event_t;
+
# type needed to allow all domains
# to handle /var/cache/abrt
-type abrt_helper_t;
+type abrt_helper_t, abrt_domain;
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
@@ -43,14 +72,34 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
+#
+# Support for ABRT retrace server
+#
+
+type abrt_retrace_worker_t, abrt_domain;
+type abrt_retrace_worker_exec_t;
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+role system_r types abrt_retrace_worker_t;
+
+type abrt_retrace_coredump_t, abrt_domain;
+type abrt_retrace_coredump_exec_t;
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
+type abrt_retrace_cache_t;
+files_type(abrt_retrace_cache_t)
+
+type abrt_retrace_spool_t;
+files_spool_file(abrt_retrace_spool_t)
+
########################################
#
# abrt local policy
#
-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
+dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
-files_read_etc_files(abrt_t)
+files_read_config_files(abrt_t)
+files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_read_config(abrt_t)
+sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
-logging_send_syslog_msg(abrt_t)
miscfiles_read_generic_certs(abrt_t)
-miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
+ apache_list_modules(abrt_t)
+ apache_read_modules(abrt_t)
+')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
@@ -150,6 +213,11 @@ optional_policy(`
')
optional_policy(`
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
@@ -167,6 +235,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
+ rpm_manage_log(abrt_t)
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
@@ -178,12 +247,35 @@ optional_policy(`
')
optional_policy(`
+ sosreport_domtrans(abrt_t)
+ sosreport_read_tmp_files(abrt_t)
+ sosreport_delete_tmp_files(abrt_t)
+')
+
+optional_policy(`
sssd_stream_connect(abrt_t)
')
+#######################################
+#
+# abrt-handle-event local policy
+#
+
+allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
+
+tunable_policy(`abrt_handle_event',`
+ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t)
+',`
+ can_exec(abrt_t, abrt_handle_event_exec_t)
+')
+
+optional_policy(`
+ unconfined_domain(abrt_handle_event_t)
+')
+
########################################
#
-# abrt--helper local policy
+# abrt-helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+corecmd_read_all_executables(abrt_helper_t)
+
domain_read_all_domains_state(abrt_helper_t)
-files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
auth_use_nsswitch(abrt_helper_t)
-logging_send_syslog_msg(abrt_helper_t)
-
-miscfiles_read_localization(abrt_helper_t)
-
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
+')
+
+#######################################
+#
+# abrt retrace coredump policy
+#
+
+allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
+
+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+
+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
+corecmd_exec_bin(abrt_retrace_coredump_t)
+corecmd_exec_shell(abrt_retrace_coredump_t)
+
+dev_read_urand(abrt_retrace_coredump_t)
+
+files_read_usr_files(abrt_retrace_coredump_t)
+
+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
+# to install debuginfo packages
+optional_policy(`
+ rpm_exec(abrt_retrace_coredump_t)
+ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
+ rpm_manage_cache(abrt_retrace_coredump_t)
+ rpm_manage_log(abrt_retrace_coredump_t)
+ rpm_manage_pid_files(abrt_retrace_coredump_t)
+ rpm_read_db(abrt_retrace_coredump_t)
+ rpm_signull(abrt_retrace_coredump_t)
+')
+
+#######################################
+#
+# abrt retrace worker policy
+#
+
+allow abrt_retrace_worker_t self:capability { setuid };
+
+allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
+
+domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
+allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
+
+manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
+allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
+
+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+
+corecmd_exec_bin(abrt_retrace_worker_t)
+corecmd_exec_shell(abrt_retrace_worker_t)
+
+dev_read_urand(abrt_retrace_worker_t)
+
+files_read_usr_files(abrt_retrace_worker_t)
+
+sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
')
+
+########################################
+#
+# abrt_dump_oops local policy
+#
+
+allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
+
+files_search_spool(abrt_dump_oops_t)
+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
+
+domain_use_interactive_fds(abrt_dump_oops_t)
+
+fs_list_inotifyfs(abrt_dump_oops_t)
+
+logging_read_generic_logs(abrt_dump_oops_t)
+
+#######################################
+#
+# Local policy for all abrt domain
+#
+
+kernel_read_system_state(abrt_domain)
+
+files_read_etc_files(abrt_domain)
+
+logging_send_syslog_msg(abrt_domain)
+
+miscfiles_read_localization(abrt_domain)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run accountsd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`accountsd_domtrans',`
@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
type accountsd_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms getattr };
+ allow $1 accountsd_t:process { ptrace signal_perms };
ps_process_pattern($1, accountsd_t)
accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f10..493bde2 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
@@ -18,6 +20,7 @@ files_type(accountsd_var_lib_t)
#
allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
@@ -32,10 +35,12 @@ files_read_usr_files(accountsd_t)
files_read_mnt_files(accountsd_t)
fs_list_inotifyfs(accountsd_t)
+fs_getattr_xattr_fs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
auth_use_nsswitch(accountsd_t)
auth_read_shadow(accountsd_t)
+auth_read_login_records(accountsd_t)
miscfiles_read_localization(accountsd_t)
@@ -55,3 +60,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 8559cdc..49c0cc8 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -97,8 +97,8 @@ interface(`afs_admin',`
type afs_t, afs_initrc_exec_t;
')
- allow $1 afs_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, afs_t, afs_t)
+ allow $1 afs_t:process { ptrace signal_perms };
+ ps_process_pattern($1, afs_t)
# Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index a496fde..847609a 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t)
sysnet_dns_name_resolve(afs_t)
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
########################################
#
# AFS bossserver local policy
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
index 6d685ba..4114d9b 100644
--- a/policy/modules/services/aiccu.te
+++ b/policy/modules/services/aiccu.te
@@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t)
corenet_all_recvfrom_netlabel(aiccu_t)
corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
corenet_tcp_sendrecv_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc
index 7798464..ff76db7 100644
--- a/policy/modules/services/aide.fc
+++ b/policy/modules/services/aide.fc
@@ -1,6 +1,6 @@
-/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,s0)
-/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 838d25b..0b0db39 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
## The role to allow the AIDE domain.
## </summary>
## </param>
+## <rolecap/>
#
interface(`aide_run',`
gen_require(`
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index 2509dd2..7ada82f 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -32,6 +32,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
+files_read_boot_symlinks(aide_t)
+files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
logging_send_audit_msgs(aide_t)
# AIDE can be configured to log to syslog
@@ -39,4 +46,4 @@ logging_send_syslog_msg(aide_t)
seutil_use_newrole_fds(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
index 0370dba..af5d229 100644
--- a/policy/modules/services/aisexec.if
+++ b/policy/modules/services/aisexec.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run aisexec.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 64953f7..99a750b 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -89,6 +89,10 @@ optional_policy(`
')
optional_policy(`
+ corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
# to communication with RHCS
rhcs_rw_dlm_controld_semaphores(aisexec_t)
diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
--- /dev/null
+++ b/policy/modules/services/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644
index 0000000..0f3fc36
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
@@ -0,0 +1,86 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_exec_t;
+ ')
+
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+## <summary>
+## Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+ gen_require(`
+ type ajaxterm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Read and write the ajaxterm pty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_rw_ptys',`
+ gen_require(`
+ type ajaxterm_devpts_t;
+ ')
+
+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ajaxterm environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ajaxterm_t)
+
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
index 0000000..3d0fd88
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
@@ -0,0 +1,64 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+files_read_etc_files(ajaxterm_t)
+files_read_usr_files(ajaxterm_t)
+
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
index d96fdfa..e07158f 100644
--- a/policy/modules/services/amavis.fc
+++ b/policy/modules/services/amavis.fc
@@ -4,7 +4,7 @@
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
-/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index deca9d3..ae8c579 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
########################################
#
@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
+dev_read_sysfs(amavis_t)
domain_use_interactive_fds(amavis_t)
@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
-# Cron handling
-cron_use_fds(amavis_t)
-cron_use_system_job_fds(amavis_t)
-cron_rw_pipes(amavis_t)
-
-mta_read_config(amavis_t)
-
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
')
optional_policy(`
+ #Cron handling
+ cron_use_fds(amavis_t)
+ cron_use_system_job_fds(amavis_t)
+ cron_rw_pipes(amavis_t)
+')
+
+optional_policy(`
dcc_domtrans_client(amavis_t)
dcc_stream_connect_dccifd(amavis_t)
')
optional_policy(`
+ mta_read_config(amavis_t)
+')
+
+optional_policy(`
nslcd_stream_connect(amavis_t)
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..8002a1f 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_content_ra_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -16,6 +21,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24,16 +32,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
@@ -43,8 +52,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -54,9 +64,11 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -73,20 +85,25 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -105,7 +122,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/html(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 6480167..e12bbc0 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent;
- attribute httpd_exec_scripts;
- attribute httpd_script_exec_type;
+ attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write, false)
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t; # customizable;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
@@ -36,32 +32,32 @@ template(`apache_content_template',`
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
+ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ apache_dontaudit_leaks(httpd_$1_script_t)
# Allow the script process to search the cgi directory, and users directory
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
@@ -86,7 +82,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -95,6 +90,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
@@ -108,19 +104,6 @@ template(`apache_content_template',`
seutil_dontaudit_search_config(httpd_$1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- can_exec(httpd_$1_script_t, httpdcontent)
- ')
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -140,26 +123,37 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+ allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
+
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
@@ -172,6 +166,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
')
optional_policy(`
@@ -182,10 +177,6 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_$1_script_t)
- ')
')
optional_policy(`
@@ -211,9 +202,8 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
- type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
@@ -234,6 +224,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
@@ -248,6 +245,9 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ apache_exec_modules($2)
+ apache_filetrans_home_content($2)
+
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
@@ -317,6 +317,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+######################################
+## <summary>
+## Allow the specified domain to execute apache
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_exec',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ can_exec($1, httpd_exec_t)
+')
+
#######################################
## <summary>
## Send a generic signal to apache.
@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
- allow $1 httpd_cache_t:dir setattr;
+ allow $1 httpd_cache_t:dir setattr_dir_perms;
')
########################################
@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
+## Apache cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
## Apache cache.
## </summary>
## <param name="domain">
@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
+## Allow the specified domain to search
+## apache configuration dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
- dontaudit $1 httpd_log_t:file { getattr append };
+ dontaudit $1 httpd_log_t:file append_file_perms;
')
########################################
@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
+## Allow the specified domain to read
+## the apache module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+')
+
+########################################
+## <summary>
## Allow the specified domain to list
## the contents of the apache modules
## directory.
@@ -761,6 +838,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
+#######################################
+## <summary>
+## Execute httpd_rotatelogs in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
+ ')
+
+ can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+## <summary>
+## Execute httpd system scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_exec_sys_script',`
+ gen_require(`
+ type httpd_sys_script_exec_t;
+ ')
+
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
+')
+
########################################
## <summary>
## Allow the specified domain to list
@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
########################################
## <summary>
## Execute all web scripts in the system
@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access..
+## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
+######################################
+## <summary>
+## Dontaudit attempts to read and write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
########################################
## <summary>
## Dontaudit attempts to write
@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
- dontaudit $1 httpd_tmp_t:file write_file_perms;
+ dontaudit $1 httpd_tmp_t:file write;
')
########################################
@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',`
## <summary>
## All of the rules required to administrate an apache environment
## </summary>
-## <param name="prefix">
-## <summary>
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
- attribute httpdcontent;
- attribute httpd_script_exec_type;
-
+ attribute httpdcontent, httpd_script_exec_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t;
- type httpd_var_run_t, httpd_php_tmp_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
+ type httpd_unit_file_t;
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
+ allow $1 httpd_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
@@ -1191,10 +1392,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1205,14 +1406,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
- kernel_search_proc($1)
- allow $1 httpd_t:dir list_dir_perms;
-
- read_lnk_files_pattern($1, httpd_t, httpd_t)
-
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
+ seutil_setsebool_role_template($1, $3, $2)
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+## Transition to apache named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 3136c6a..f165efd 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
## <desc>
-## <p>
-## Allow Apache to modify public files
-## used for public file transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
## </desc>
gen_tunable(allow_httpd_anon_write, false)
## <desc>
-## <p>
-## Allow Apache to use mod_auth_pam
-## </p>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_pam, false)
## <desc>
-## <p>
-## Allow httpd to use built in scripting (usually php)
-## </p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+
+## <desc>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd daemon to change system limits
+## </p>
+## </desc>
+gen_tunable(httpd_setrlimit, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
## </desc>
gen_tunable(httpd_builtin_scripting, false)
## <desc>
-## <p>
-## Allow HTTPD scripts and modules to connect to the network using TCP.
-## </p>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using any TCP port.
+## </p>
## </desc>
gen_tunable(httpd_can_network_connect, false)
## <desc>
-## <p>
-## Allow HTTPD scripts and modules to connect to databases over the network.
-## </p>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
## <desc>
-## <p>
-## Allow httpd to act as a relay
-## </p>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_memcache, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay
+## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
-## <p>
-## Allow http daemon to send mail
-## </p>
+## <p>
+## Allow http daemon to send mail
+## </p>
## </desc>
gen_tunable(httpd_can_sendmail, false)
## <desc>
-## <p>
-## Allow Apache to communicate with avahi service via dbus
-## </p>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
## </desc>
gen_tunable(httpd_dbus_avahi, false)
## <desc>
-## <p>
-## Allow httpd cgi support
-## </p>
+## <p>
+## Allow httpd to execute cgi scripts
+## </p>
## </desc>
gen_tunable(httpd_enable_cgi, false)
## <desc>
-## <p>
-## Allow httpd to act as a FTP server by
-## listening on the ftp port.
-## </p>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
## </desc>
gen_tunable(httpd_enable_ftp_server, false)
## <desc>
-## <p>
-## Allow httpd to read home directories
-## </p>
+## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_ftp, false)
+
+## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
## </desc>
gen_tunable(httpd_enable_homedirs, false)
## <desc>
-## <p>
-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
-## </p>
+## <p>
+## Allow httpd to read user content
+## </p>
+## </desc>
+gen_tunable(httpd_read_user_content, false)
+
+## <desc>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
## </desc>
gen_tunable(httpd_ssi_exec, false)
## <desc>
-## <p>
-## Unify HTTPD to communicate with the terminal.
-## Needed for entering the passphrase for certificates at
-## the terminal.
-## </p>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
## </desc>
gen_tunable(httpd_tty_comm, false)
## <desc>
-## <p>
-## Unify HTTPD handling of all content files.
-## </p>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
## </desc>
gen_tunable(httpd_unified, false)
## <desc>
-## <p>
-## Allow httpd to access cifs file systems
-## </p>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
## </desc>
gen_tunable(httpd_use_cifs, false)
## <desc>
-## <p>
-## Allow httpd to run gpg
-## </p>
+## <p>
+## Allow httpd to run gpg in gpg-web domain
+## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
## <desc>
-## <p>
-## Allow httpd to access nfs file systems
-## </p>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
## </desc>
gen_tunable(httpd_use_nfs, false)
+## <desc>
+## <p>
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -166,7 +239,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
-files_type(httpd_config_t)
+files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
@@ -177,6 +250,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
+type httpd_unit_file_t;
+systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -216,7 +292,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -226,6 +312,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
@@ -233,6 +323,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -254,14 +345,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
########################################
#
# Apache server local policy
@@ -281,11 +381,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -329,8 +431,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -355,6 +458,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
+kernel_read_network_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -365,11 +471,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
-corenet_tcp_connect_http_port(httpd_t)
+#corenet_tcp_connect_http_port(httpd_t)
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
@@ -378,12 +488,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -391,6 +501,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
+files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
@@ -402,48 +513,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
+ifdef(`hide_broken_symptoms',`
+ libs_exec_lib_files(httpd_t)
+')
+
logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
+
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
+
+optional_policy(`
+ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_squid_port(httpd_t)
corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -456,25 +620,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
')
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_t)
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
@@ -484,7 +670,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
@@ -499,9 +694,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+')
+
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
+ abrt_domtrans_retrace_worker(httpd_t)
+ abrt_read_config(httpd_t)
')
optional_policy(`
@@ -513,7 +718,13 @@ optional_policy(`
')
optional_policy(`
- cobbler_search_lib(httpd_t)
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+ cobbler_read_lib_files(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
optional_policy(`
@@ -528,7 +739,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -537,8 +760,13 @@ optional_policy(`
')
optional_policy(`
+ git_read_generic_system_content_files(httpd_t)
+ gitosis_read_lib_files(httpd_t)
+')
+
+optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+ gpg_domtrans_web(httpd_t)
')
')
@@ -556,7 +784,13 @@ optional_policy(`
')
optional_policy(`
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
+
+optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -567,6 +801,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -577,6 +812,20 @@ optional_policy(`
')
optional_policy(`
+ passenger_domtrans(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+ passenger_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
@@ -591,6 +840,11 @@ optional_policy(`
')
optional_policy(`
+ smokeping_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -603,6 +857,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_manage_lib_files(httpd_t)
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
########################################
#
# Apache helper local policy
@@ -616,7 +876,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
+
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_inherited_user_terminals(httpd_helper_t)
+')
########################################
#
@@ -654,28 +918,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
-
- corenet_tcp_connect_mssql_port(httpd_t)
- corenet_sendrecv_mssql_client_packets(httpd_t)
- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_firebird_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
')
optional_policy(`
mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
')
optional_policy(`
postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
')
########################################
@@ -685,6 +951,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
+
+allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
@@ -699,17 +967,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -740,13 +1013,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
@@ -769,6 +1060,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
+optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_suexec_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_suexec_t)
+ postgresql_unpriv_client(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_suexec_t)
+ ')
+')
+
########################################
#
# Apache system script local policy
@@ -789,12 +1099,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
+files_read_var_symlinks(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
+
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+auth_use_nsswitch(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
@@ -803,18 +1118,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
+ ')
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
- corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
@@ -822,14 +1169,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_sys_script_t)
+ userdom_search_user_home_dirs(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -842,10 +1204,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
########################################
@@ -891,11 +1263,48 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
+')
+
+########################################
+#
+# httpd_passwd local policy
+#
+
+allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
+allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
+
+domain_use_interactive_fds(httpd_passwd_t)
+
+files_read_etc_files(httpd_passwd_t)
+
+miscfiles_read_localization(httpd_passwd_t)
+
+corecmd_exec_bin(httpd_passwd_t)
+
+kernel_read_system_state(httpd_passwd_t)
+
+dev_read_urand(httpd_passwd_t)
+
+systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index cd07b96..9b7742f 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
@@ -4,6 +4,8 @@
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
@@ -13,3 +15,4 @@
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index d052bf0..ec55314 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -87,13 +87,17 @@ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
')
optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+')
+
+optional_policy(`
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
index 1ea99b2..9427dd5 100644
--- a/policy/modules/services/apm.if
+++ b/policy/modules/services/apm.if
@@ -52,7 +52,8 @@ interface(`apm_write_pipes',`
type apmd_t;
')
- allow $1 apmd_t:fifo_file write;
+ allow $1 apmd_t:fd use;
+ allow $1 apmd_t:fifo_file write_fifo_file_perms;
')
########################################
@@ -89,7 +90,7 @@ interface(`apm_append_log',`
')
logging_search_logs($1)
- allow $1 apmd_log_t:file append;
+ allow $1 apmd_log_t:file append_file_perms;
')
########################################
@@ -108,6 +109,5 @@ interface(`apm_stream_connect',`
')
files_search_pids($1)
- allow $1 apmd_var_run_t:sock_file write;
- allow $1 apmd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 1c8c27e..21b91de 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
#
# Declarations
#
+
type apmd_t;
type apmd_exec_t;
init_daemon_domain(apmd_t, apmd_exec_t)
@@ -45,7 +46,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:netlink_socket create_socket_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+dev_read_input(apmd_t)
+dev_read_mouse(apmd_t)
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+auth_use_nsswitch(apmd_t)
+
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
@@ -127,10 +133,8 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
-modutils_domtrans_insmod(apmd_t)
-modutils_read_module_config(apmd_t)
-
seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
@@ -142,9 +146,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
+ fstools_domtrans(apmd_t)
')
optional_policy(`
@@ -155,6 +158,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+ sssd_search_lib(apmd_t)
+ ')
+
+ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
@@ -201,7 +213,8 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(apmd_t)
+ modutils_domtrans_insmod(apmd_t)
+ modutils_read_module_config(apmd_t)
')
optional_policy(`
@@ -209,8 +222,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
+
optional_policy(`
- seutil_sigchld_newrole(apmd_t)
+ shutdown_domtrans(apmd_t)
')
optional_policy(`
@@ -219,10 +233,6 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(apmd_t)
-')
-
-optional_policy(`
vbetool_domtrans(apmd_t)
')
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index c804110..bdefbe1 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
type arpwatch_initrc_exec_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+ allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
arpwatch_initrc_domtrans($1)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 804135f..af04567 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
kernel_read_network_state(arpwatch_t)
+# meminfo
+kernel_read_system_state(arpwatch_t)
kernel_read_kernel_sysctls(arpwatch_t)
-kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 8b8143e..c1a2b96 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
type asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms getattr };
+ allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b3b0176..8e66610 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
+mta_system_content(asterisk_tmp_t)
type asterisk_tmpfs_t;
files_tmpfs_file(asterisk_tmpfs_t)
@@ -39,8 +40,8 @@ files_pid_file(asterisk_var_run_t)
#
# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
-dontaudit asterisk_t self:capability sys_tty_config;
+allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -108,14 +110,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_festival_port(asterisk_t)
+corenet_tcp_connect_jabber_client_port(asterisk_t)
+corenet_tcp_connect_pktcable_port(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_jabber_client_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
+dev_read_rand(asterisk_t)
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -125,6 +132,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
+files_dontaudit_search_home(asterisk_t)
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
@@ -141,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
+ alsa_read_rw_config(asterisk_t)
+')
+
+optional_policy(`
mysql_stream_connect(asterisk_t)
')
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..68b85e2 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
## </summary>
## </param>
#
-#
interface(`automount_signal',`
gen_require(`
type automount_t;
@@ -68,7 +67,8 @@ interface(`automount_read_state',`
type automount_t;
')
- read_files_pattern($1, automount_t, automount_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, automount_t)
')
########################################
@@ -104,6 +104,7 @@ interface(`automount_dontaudit_write_pipes',`
type automount_t;
')
+ dontaudit $1 automount_t:fd use;
dontaudit $1 automount_t:fifo_file write;
')
@@ -123,7 +124,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
type automount_tmp_t;
')
- dontaudit $1 automount_tmp_t:dir getattr;
+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
')
########################################
@@ -149,7 +150,7 @@ interface(`automount_admin',`
type automount_var_run_t, automount_initrc_exec_t;
')
- allow $1 automount_t:process { ptrace signal_perms getattr };
+ allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 39799db..9390ef1 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -64,6 +64,7 @@ kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
+files_read_usr_files(automount_t)
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
@@ -143,9 +144,6 @@ logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
-# Run mount in the mount_t domain.
-mount_domtrans(automount_t)
-mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
@@ -155,6 +153,13 @@ optional_policy(`
')
optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 61c74bc..c6b0498 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
class dbus send_msg;
')
+ allow avahi_t $1:file read;
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index a7a0e71..5352ef6 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
########################################
#
@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
+kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
@@ -104,6 +106,10 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_signull(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index 59aa54f..f944a65 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -5,6 +5,8 @@
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 44a1e3d..f5c476a 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
########################################
## <summary>
+## Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_systemctl',`
+ gen_require(`
+ type named_unit_file_t;
+ type named_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
@@ -186,7 +210,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
- allow $1 named_conf_t:file setattr;
+ allow $1 named_conf_t:file setattr_file_perms;
')
########################################
@@ -266,7 +290,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
- allow $1 named_var_run_t:dir setattr;
+ allow $1 named_var_run_t:dir setattr_dir_perms;
')
########################################
@@ -284,7 +308,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
- allow $1 named_zone_t:dir setattr;
+ allow $1 named_zone_t:dir setattr_dir_perms;
')
########################################
@@ -308,6 +332,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
+## Read BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+## <summary>
## Manage BIND zone files.
## </summary>
## <param name="domain">
@@ -359,10 +404,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_lib_t, named_var_run_t;
- type named_cache_t, named_zone_t;
- type dnssec_t, ndc_t;
- type named_initrc_exec_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
')
allow $1 named_t:process { ptrace signal_perms };
@@ -391,9 +435,10 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
- files_list_var_lib($1)
- admin_pattern($1, named_var_lib_t)
+ admin_pattern($1, named_keytab_t)
files_list_pids($1)
admin_pattern($1, named_var_run_t)
+
+ named_systemctl($1)
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04..8d81308 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
#
## <desc>
-## <p>
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS or zone transfers.
-## </p>
+## <p>
+## Allow BIND to bind apache port.
+## </p>
+## </desc>
+gen_tunable(named_bind_http_port, false)
+
+## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS or zone transfers.
+## </p>
## </desc>
gen_tunable(named_write_master_zones, false)
# for DNSSEC key files
type dnssec_t;
files_security_file(dnssec_t)
+files_mountpoint(dnssec_t)
type named_t;
type named_exec_t;
@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
# A type for configuration files of named.
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
@@ -37,6 +45,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
type named_log_t;
logging_log_file(named_log_t)
@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
@@ -147,6 +159,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
+tunable_policy(`named_bind_http_port',`
+ corenet_tcp_bind_http_port(named_t)
+')
+
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
-allow ndc_t dnssec_t:lnk_file { getattr read };
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
-allow ndc_t named_conf_t:lnk_file { getattr read };
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
+kernel_read_system_state(ndc_t)
kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t)
@@ -228,6 +244,8 @@ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
+auth_use_nsswitch(ndc_t)
+
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
-sysnet_read_config(ndc_t)
-sysnet_dns_name_resolve(ndc_t)
-
-userdom_use_user_terminals(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
term_dontaudit_use_console(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
- allow ndc_t named_conf_t:dir search;
-')
-
-optional_policy(`
- nis_use_ypbind(ndc_t)
-')
-
-optional_policy(`
- nscd_socket_use(ndc_t)
+ allow ndc_t named_conf_t:dir search_dir_perms;
')
optional_policy(`
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
index 0197980..f8bce2c 100644
--- a/policy/modules/services/bitlbee.fc
+++ b/policy/modules/services/bitlbee.fc
@@ -4,3 +4,6 @@
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
+
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index f4e7ad3..2faf42a 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
type bitlbee_var_t;
files_type(bitlbee_var_t)
+type bitlbee_var_run_t;
+files_type(bitlbee_var_run_t)
+
########################################
#
# Local policy
#
-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
+allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
-allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
bitlbee_read_config(bitlbee_t)
# tmp files
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
+
kernel_read_system_state(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_bind_generic_node(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
+corenet_sendrecv_ircd_server_packets(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..4aa8fb1 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`bluetooth_role',`
gen_require(`
@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process signal;
+ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
type bluetooth_conf_t;
')
- allow $1 bluetooth_conf_t:file { getattr read ioctl };
+ allow $1 bluetooth_conf_t:file read_file_perms;
')
########################################
@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',`
########################################
## <summary>
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',`
########################################
## <summary>
-## Read bluetooth helper state files.
+## Do not audit attempts to read bluetooth helper state files.
## </summary>
## <param name="domain">
## <summary>
@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
type bluetooth_helper_t;
')
- dontaudit $1 bluetooth_helper_t:dir search;
- dontaudit $1 bluetooth_helper_t:file { read getattr };
+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
')
########################################
@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
- type bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process { ptrace signal_perms };
@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
- files_list_spool($1)
- admin_pattern($1, bluetooth_spool_t)
-
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 215b86b..619518f 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
#
# Declarations
#
+
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
type bluetooth_conf_t;
-files_type(bluetooth_conf_t)
+files_config_file(bluetooth_conf_t)
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
#search debugfs - redhat bug 548206
kernel_search_debugfs(bluetooth_t)
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_socket(bluetooth_t)
+ dev_rw_generic_chr_files(bluetooth_t)
+')
+
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_generic_if(bluetooth_t)
@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
+ devicekit_dbus_chat_power(bluetooth_t)
+')
+
+optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
@@ -190,7 +200,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
-allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
@@ -220,6 +229,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
+auth_use_nsswitch(bluetooth_helper_t)
+
locallogin_dontaudit_use_fds(bluetooth_helper_t)
logging_send_syslog_msg(bluetooth_helper_t)
@@ -236,9 +247,5 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(bluetooth_helper_t)
-')
-
-optional_policy(`
xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
')
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
--- /dev/null
+++ b/policy/modules/services/boinc.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
index 0000000..fa9b95a
--- /dev/null
+++ b/policy/modules/services/boinc.if
@@ -0,0 +1,150 @@
+## <summary>policy for boinc</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+## Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search boinc lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an boinc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
index 0000000..1442451
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,172 @@
+policy_module(boinc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_bind_boinc_client_ctrl_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
+dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
+
+init_read_utmp(boinc_t)
+
+miscfiles_read_localization(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
+
+########################################
+#
+# boinc-projects local policy
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+allow boinc_project_t self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
+corecmd_exec_bin(boinc_project_t)
+corecmd_exec_shell(boinc_project_t)
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
+dev_read_rand(boinc_project_t)
+dev_read_urand(boinc_project_t)
+dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
+files_read_etc_runtime_files(boinc_project_t)
+files_read_usr_files(boinc_project_t)
+
+miscfiles_read_fonts(boinc_project_t)
+miscfiles_read_localization(boinc_project_t)
+
+optional_policy(`
+ java_exec(boinc_project_t)
+')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
index 8c84063..c8bfb68 100644
--- a/policy/modules/services/bugzilla.fc
+++ b/policy/modules/services/bugzilla.fc
@@ -1,3 +1,4 @@
+
/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
index de89d0f..140f520 100644
--- a/policy/modules/services/bugzilla.if
+++ b/policy/modules/services/bugzilla.if
@@ -58,13 +58,16 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
interface(`bugzilla_admin',`
gen_require(`
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
- ')
+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+ ')
allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_bugzilla_script_t)
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
files_list_var_lib(httpd_bugzilla_script_t)
apache_list_sys_content($1)
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
index 048abbf..7368f57 100644
--- a/policy/modules/services/bugzilla.te
+++ b/policy/modules/services/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0)
apache_content_template(bugzilla)
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
########################################
#
# bugzilla local policy
@@ -31,6 +34,10 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
files_search_var_lib(httpd_bugzilla_script_t)
sysnet_read_config(httpd_bugzilla_script_t)
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
index 0000000..24d9837
--- /dev/null
+++ b/policy/modules/services/cachefilesd.fc
@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
new file mode 100644
index 0000000..3b41945
--- /dev/null
+++ b/policy/modules/services/cachefilesd.if
@@ -0,0 +1,35 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run cachefilesd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cachefilesd_domtrans',`
+ gen_require(`
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
index 0000000..e7d2a5b
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
@@ -0,0 +1,145 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd, 1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/policy/modules/services/callweaver.fc b/policy/modules/services/callweaver.fc
new file mode 100644
index 0000000..3e15c63
--- /dev/null
+++ b/policy/modules/services/callweaver.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
+
+/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
+
+/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
+
+/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
+
+/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0)
+
+/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if
new file mode 100644
index 0000000..564acbd
--- /dev/null
+++ b/policy/modules/services/callweaver.if
@@ -0,0 +1,358 @@
+## <summary>Open source PBX project.</summary>
+
+########################################
+## <summary>
+## Execute callweaver in the
+## callweaver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`callweaver_domtrans',`
+ gen_require(`
+ type callweaver_t, callweaver_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, callweaver_exec_t, callweaver_t)
+')
+
+########################################
+## <summary>
+## Execute callweaver in the
+## callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_exec',`
+ gen_require(`
+ type callweaver_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, callweaver_exec_t)
+')
+
+########################################
+## <summary>
+## Execute callweaver in the
+## callweaver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`callweaver_initrc_domtrans',`
+ gen_require(`
+ type callweaver_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read callweaver log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_read_log',`
+ gen_require(`
+ type callweaver_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, callweaver_log_t, callweaver_log_t)
+')
+
+########################################
+## <summary>
+## Append to callweaver log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_append_log',`
+ gen_require(`
+ type callweaver_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, callweaver_log_t, callweaver_log_t)
+')
+
+########################################
+## <summary>
+## Manage callweaver log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_manage_log',`
+ gen_require(`
+ type callweaver_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
+ manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
+ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
+')
+
+########################################
+## <summary>
+## Search callweaver lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_search_lib',`
+ gen_require(`
+ type callweaver_var_lib_t;
+ ')
+
+ allow $1 callweaver_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read callweaver lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_read_lib_files',`
+ gen_require(`
+ type callweaver_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage callweaver lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_manage_lib_files',`
+ gen_require(`
+ type callweaver_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage callweaver lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_manage_lib_dirs',`
+ gen_require(`
+ type callweaver_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read callweaver PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_read_pid_files',`
+ gen_require(`
+ type callweaver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 callweaver_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to callweaver over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_stream_connect',`
+ gen_require(`
+ type callweaver_t, callweaver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
+')
+
+########################################
+## <summary>
+## Search callweaver spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_search_spool',`
+ gen_require(`
+ type callweaver_spool_t;
+ ')
+
+ allow $1 callweaver_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read callweaver spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_read_spool_files',`
+ gen_require(`
+ type callweaver_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
+')
+
+########################################
+## <summary>
+## Manage callweaver spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_manage_spool_files',`
+ gen_require(`
+ type callweaver_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
+')
+
+########################################
+## <summary>
+## Manage callweaver spool dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_manage_spool_dirs',`
+ gen_require(`
+ type callweaver_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an callweaver environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`callweaver_admin',`
+ gen_require(`
+ type callweaver_t;
+ type callweaver_initrc_exec_t;
+ type callweaver_log_t;
+ type callweaver_var_lib_t;
+ type callweaver_var_run_t;
+ type callweaver_spool_t;
+ ')
+
+ allow $1 callweaver_t:process { ptrace signal_perms };
+ ps_process_pattern($1, callweaver_t)
+
+ callweaver_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 callweaver_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, callweaver_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, callweaver_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, callweaver_var_run_t)
+
+ files_search_spool($1)
+ admin_pattern($1, callweaver_spool_t)
+')
diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
new file mode 100644
index 0000000..4cfc9f8
--- /dev/null
+++ b/policy/modules/services/callweaver.te
@@ -0,0 +1,77 @@
+policy_module(callweaver,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type callweaver_t;
+type callweaver_exec_t;
+init_daemon_domain(callweaver_t, callweaver_exec_t)
+
+type callweaver_initrc_exec_t;
+init_script_file(callweaver_initrc_exec_t)
+
+type callweaver_log_t;
+logging_log_file(callweaver_log_t)
+
+type callweaver_var_lib_t;
+files_type(callweaver_var_lib_t)
+
+type callweaver_var_run_t;
+files_pid_file(callweaver_var_run_t)
+
+type callweaver_spool_t;
+files_spool_file(callweaver_spool_t)
+
+########################################
+#
+# callweaver local policy
+#
+
+allow callweaver_t self:capability { setuid sys_nice setgid };
+allow callweaver_t self:process { setsched signal };
+allow callweaver_t self:fifo_file rw_fifo_file_perms;
+allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
+manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
+logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
+
+manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
+manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
+files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
+
+manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
+manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
+manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
+files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
+manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
+manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
+files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
+
+allow callweaver_t self:tcp_socket create_stream_socket_perms;
+allow callweaver_t self:udp_socket create_socket_perms;
+
+kernel_read_sysctl(callweaver_t)
+kernel_read_kernel_sysctls(callweaver_t)
+
+corenet_udp_bind_asterisk_port(callweaver_t)
+corenet_udp_bind_generic_port(callweaver_t)
+corenet_udp_bind_sip_port(callweaver_t)
+
+dev_manage_generic_symlinks(callweaver_t)
+
+domain_use_interactive_fds(callweaver_t)
+
+files_read_etc_files(callweaver_t)
+
+term_getattr_pty_fs(callweaver_t)
+term_use_generic_ptys(callweaver_t)
+term_use_ptmx(callweaver_t)
+
+auth_use_nsswitch(callweaver_t)
+
+miscfiles_read_localization(callweaver_t)
diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
index 5432d0e..f77df02 100644
--- a/policy/modules/services/canna.fc
+++ b/policy/modules/services/canna.fc
@@ -20,4 +20,4 @@
/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 1d25efe..1b16191 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
-allow canna_t canna_log_t:dir setattr;
+allow canna_t canna_log_t:dir setattr_dir_perms;
logging_log_filetrans(canna_t, canna_log_t, { file dir })
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
index 6ee2cc8..3105b09 100644
--- a/policy/modules/services/ccs.if
+++ b/policy/modules/services/ccs.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ccs.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ccs_domtrans',`
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4c90b57..418eb6b 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -10,7 +10,7 @@ type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
type cluster_conf_t;
-files_type(cluster_conf_t)
+files_config_file(cluster_conf_t)
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
-allow ccs_t ccs_var_log_t:dir setattr;
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
logging_send_syslog_msg(ccs_t)
@@ -107,7 +108,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
@@ -118,5 +119,10 @@ optional_policy(`
')
optional_policy(`
+ qpidd_rw_semaphores(ccs_t)
+ qpidd_rw_shm(ccs_t)
+')
+
+optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index fa62787..ffd0da5 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run certmaster.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`certmaster_domtrans',`
@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
## </param>
## <param name="role">
## <summary>
-## The role to be allowed to manage the syslog domain.
+## Role allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
- type certmaster_etc_rw_t, certmaster_var_log_t;
- type certmaster_initrc_exec_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
allow $1 certmaster_t:process { ptrace signal_perms };
@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
allow $2 system_r;
files_list_etc($1)
- miscfiles_manage_generic_cert_dirs($1)
- miscfiles_manage_generic_cert_files($1)
+ miscfiles_manage_generic_cert_dirs($1)
+ miscfiles_manage_generic_cert_files($1)
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 3384132..97d3269 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -43,23 +43,25 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
# pid file
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
# read meminfo
kernel_read_system_state(certmaster_t)
-corecmd_search_bin(certmaster_t)
-corecmd_getattr_bin_files(certmaster_t)
+corecmd_exec_bin(certmaster_t)
corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
+dev_read_urand(certmaster_t)
+
files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index 7a6e5ba..d664be8 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run certmonger.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`certmonger_domtrans',`
@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index c3e3f79..3e78d4e 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
# certmonger local policy
#
-allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
+dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+corecmd_exec_bin(certmonger_t)
+
corenet_tcp_sendrecv_generic_if(certmonger_t)
corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_tcp_sendrecv_all_ports(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+corenet_tcp_connect_http_port(certmonger_t)
dev_read_urand(certmonger_t)
@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
+auth_rw_cache(certmonger_t)
+
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
@@ -58,15 +64,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
+userdom_search_user_home_content(certmonger_t)
+
+optional_policy(`
+ apache_search_config(certmonger_t)
+')
+
+optional_policy(`
+ bind_search_cache(certmonger_t)
+')
+
optional_policy(`
dbus_system_bus_client(certmonger_t)
dbus_connect_system_bus(certmonger_t)
')
optional_policy(`
+ dirsrv_manage_config(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
optional_policy(`
+ pcscd_read_pub_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc
new file mode 100644
index 0000000..4ec83df
--- /dev/null
+++ b/policy/modules/services/cfengine.fc
@@ -0,0 +1,10 @@
+
+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
+/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
+
+/etc/rc\.d/init\.d/cf-serverd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cf-monitord -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+
+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if
new file mode 100644
index 0000000..12fe9ce
--- /dev/null
+++ b/policy/modules/services/cfengine.if
@@ -0,0 +1,23 @@
+
+## <summary>policy for cfengine</summary>
+
+
+########################################
+## <summary>
+## Transition to cfengine.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cfengine_domtrans_server',`
+ gen_require(`
+ type cfengine_server_t, cfengine_server_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
+')
+
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
index 0000000..1ba0484
--- /dev/null
+++ b/policy/modules/services/cfengine.te
@@ -0,0 +1,127 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cfengine_serverd_t;
+type cfengine_serverd_exec_t;
+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t)
+
+type cfengine_initrc_exec_t;
+init_script_file(cfengine_initrc_exec_t)
+
+type cfengine_var_lib_t;
+files_type(cfengine_var_lib_t)
+
+type cfengine_execd_t;
+type cfengine_execd_exec_t;
+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t)
+
+type cfengine_monitord_t;
+type cfengine_monitord_exec_t;
+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t)
+
+########################################
+#
+# cfengine-server local policy
+#
+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_serverd_t self:process { fork setfscreate signal };
+
+allow cfengine_serverd_t self:fifo_file rw_fifo_file_perms;
+allow cfengine_serverd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
+manage_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
+manage_lnk_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
+files_var_lib_filetrans(cfengine_serverd_t, cfengine_var_lib_t, { dir file })
+
+kernel_read_system_state(cfengine_serverd_t)
+
+corecmd_exec_bin(cfengine_serverd_t)
+corecmd_exec_shell(cfengine_serverd_t)
+
+dev_read_urand(cfengine_serverd_t)
+dev_read_sysfs(cfengine_serverd_t)
+
+domain_use_interactive_fds(cfengine_serverd_t)
+
+files_read_etc_files(cfengine_serverd_t)
+
+auth_use_nsswitch(cfengine_serverd_t)
+
+logging_send_syslog_msg(cfengine_serverd_t)
+
+miscfiles_read_localization(cfengine_serverd_t)
+
+sysnet_dns_name_resolve(cfengine_serverd_t)
+sysnet_domtrans_ifconfig(cfengine_serverd_t)
+
+########################################
+#
+# cfengine_exec local policy
+#
+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_execd_t self:process { fork setfscreate signal };
+
+allow cfengine_execd_t self:fifo_file rw_fifo_file_perms;
+allow cfengine_execd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
+manage_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
+manage_lnk_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
+
+domain_use_interactive_fds(cfengine_execd_t)
+
+files_read_etc_files(cfengine_execd_t)
+
+kernel_read_system_state(cfengine_execd_t)
+
+corecmd_exec_bin(cfengine_execd_t)
+corecmd_exec_shell(cfengine_execd_t)
+
+dev_read_urand(cfengine_execd_t)
+dev_read_sysfs(cfengine_execd_t)
+
+auth_use_nsswitch(cfengine_execd_t)
+
+logging_send_syslog_msg(cfengine_execd_t)
+
+miscfiles_read_localization(cfengine_execd_t)
+
+sysnet_dns_name_resolve(cfengine_execd_t)
+sysnet_domtrans_ifconfig(cfengine_execd_t)
+
+########################################
+#
+# cfengine_monitord local policy
+#
+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_monitord_t self:process { fork setfscreate signal };
+
+allow cfengine_monitord_t self:fifo_file rw_fifo_file_perms;
+allow cfengine_monitord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
+manage_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
+manage_lnk_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
+
+corecmd_exec_bin(cfengine_monitord_t)
+
+dev_read_sysfs(cfengine_monitord_t)
+dev_read_urand(cfengine_monitord_t)
+
+domain_use_interactive_fds(cfengine_monitord_t)
+
+files_read_etc_files(cfengine_monitord_t)
+
+auth_use_nsswitch(cfengine_monitord_t)
+
+logging_send_syslog_msg(cfengine_monitord_t)
+
+miscfiles_read_localization(cfengine_monitord_t)
+
+sysnet_dns_name_resolve(cfengine_monitord_t)
+sysnet_domtrans_ifconfig(cfengine_monitord_t)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index 33facaf..e5cbcef 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -6,9 +6,9 @@
## CG Clear.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cgroup_domtrans_cgclear',`
@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
## CG config parser.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cgroup_domtrans_cgconfig',`
@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
## CG rules engine daemon.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cgroup_domtrans_cgred',`
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index dad226c..7617c53 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -39,7 +39,6 @@ files_config_file(cgconfig_etc_t)
#
# cgclear personal policy.
#
-
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
kernel_read_system_state(cgclear_t)
@@ -86,6 +85,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
+logging_log_filetrans(cgred_t, cgred_log_t, file)
+
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
@@ -104,6 +106,8 @@ files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
+auth_use_nsswitch(cgred_t)
+
logging_send_syslog_msg(cgred_t)
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
index fd8cd0b..45096d8 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
@@ -2,8 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 9a0da94..fecceac 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+########################################
+## <summary>
+## Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_initrc_domtrans',`
+ gen_require(`
+ type chronyd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
####################################
## <summary>
## Execute chronyd
@@ -56,6 +74,126 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+########################################
+## <summary>
+## Read and write chronyd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_shm',`
+ gen_require(`
+ type chronyd_t, chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:shm rw_shm_perms;
+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read chronyd keys files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+## Append chronyd keys files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+## Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
+ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
+
+########################################
+## <summary>
+## Connect to chronyd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_stream_connect',`
+ gen_require(`
+ type chronyd_t, chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+')
+
+########################################
+## <summary>
+## Send to chronyd over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_dgram_send',`
+ gen_require(`
+ type chronyd_t;
+ ')
+
+ allow $1 chronyd_t:unix_dgram_socket sendto;
+')
+
####################################
## <summary>
## All of the rules required to administrate
@@ -75,9 +213,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t;
')
allow $1 chronyd_t:process { ptrace signal_perms };
@@ -88,18 +226,19 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
+
+ chronyd_systemctl($1)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index fa82327..1a486b0 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
type chronyd_keys_t;
files_type(chronyd_keys_t)
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:fifo_file rw_fifo_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -48,8 +59,14 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
-files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+kernel_read_system_state(chronyd_t)
+
+corecmd_exec_shell(chronyd_t)
+
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
@@ -63,6 +80,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
index e8e9a21..89fc935 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
@@ -10,7 +10,9 @@
/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 1f11572..9eb2461 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
type clamd_t, clamd_var_run_t;
')
+ files_search_pids($1)
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
')
@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
#
interface(`clamav_append_log',`
gen_require(`
- type clamav_log_t;
+ type clamd_var_log_t;
')
logging_search_logs($1)
- allow $1 clamav_log_t:dir list_dir_perms;
- append_files_pattern($1, clamav_log_t, clamav_log_t)
+ allow $1 clamd_var_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
')
########################################
@@ -133,6 +134,25 @@ interface(`clamav_exec_clamscan',`
########################################
## <summary>
+## Manage clamd pid content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_manage_clamd_pid',`
+ gen_require(`
+ type clamd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an clamav environment
## </summary>
@@ -151,9 +171,8 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
- type clamd_var_log_t, clamd_var_lib_t;
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
- type clamd_initrc_exec_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index f758323..8cd02e2 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,16 @@
policy_module(clamav, 1.9.0)
## <desc>
-## <p>
-## Allow clamd to use JIT compiler
-## </p>
+## <p>
+## Allow clamscan to read user content
+## </p>
+## </desc>
+gen_tunable(clamscan_read_user_content, false)
+
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
+allow clamd_t self:process signal;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
-cron_use_fds(clamd_t)
-cron_use_system_job_fds(clamd_t)
-cron_rw_pipes(clamd_t)
+optional_policy(`
+ cron_use_fds(clamd_t)
+ cron_use_system_job_fds(clamd_t)
+ cron_rw_pipes(clamd_t)
+')
-mta_read_config(clamd_t)
-mta_send_mail(clamd_t)
+optional_policy(`
+ mta_read_config(clamd_t)
+ mta_send_mail(clamd_t)
+')
optional_policy(`
amavis_read_lib_files(clamd_t)
@@ -147,8 +163,10 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
-', `
+ allow clamscan_t self:process execmem;
+',`
dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
')
########################################
@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
-allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
-optional_policy(`
- cron_system_entry(freshclam_t, freshclam_exec_t)
-')
+userdom_stream_connect(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
-', `
+',`
dontaudit freshclam_t self:process execmem;
')
+optional_policy(`
+ cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
########################################
#
# clamscam local policy
@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
+allow clamscan_t clamd_var_run_t:dir list_dir_perms;
+
+kernel_read_system_state(clamscan_t)
+
corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
+corecmd_read_all_executables(clamscan_t)
+
+tunable_policy(`clamscan_read_user_content',`
+ userdom_read_user_home_content_files(clamscan_t)
+ userdom_dontaudit_read_user_home_content_files(clamscan_t)
+')
+
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
-mta_send_mail(clamscan_t)
+sysnet_read_config(clamscan_t)
+
+optional_policy(`
+ mta_send_mail(clamscan_t)
+ mta_read_queue(clamscan_t)
+')
optional_policy(`
- amavis_read_spool_files(clamscan_t)
+ amavis_manage_spool_files(clamscan_t)
')
optional_policy(`
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index b40f3f7..3676ecc 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -38,7 +38,7 @@ files_read_etc_files(clockspeed_cli_t)
miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
index c0a66a4..e438c5f 100644
--- a/policy/modules/services/clogd.if
+++ b/policy/modules/services/clogd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run clogd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`clogd_domtrans',`
diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
index 6077339..d10acd2 100644
--- a/policy/modules/services/clogd.te
+++ b/policy/modules/services/clogd.te
@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
allow clogd_t self:capability { net_admin mknod };
allow clogd_t self:process signal;
-
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
allow clogd_t self:netlink_socket create_socket_perms;
@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
# pid files
manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
+files_pid_filetrans(clogd_t, clogd_var_run_t, file)
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
index 049e2b6..dcc7de8 100644
--- a/policy/modules/services/cmirrord.fc
+++ b/policy/modules/services/cmirrord.fc
@@ -1,5 +1,6 @@
+
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
-/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
index f8463c0..bed51fb 100644
--- a/policy/modules/services/cmirrord.if
+++ b/policy/modules/services/cmirrord.if
@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
type cmirrord_t, cmirrord_tmpfs_t;
')
- allow $1 cmirrord_t:shm rw_shm_perms;
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e..e4bac67 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
@@ -1,7 +1,33 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
+
+# This should removable when cobbler package installs /var/www/cobbler/rendered
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 116d60f..82306eb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
## <summary>Cobbler installation server.</summary>
## <desc>
## <p>
-## Cobbler is a Linux installation server that allows for
-## rapid setup of network installation environments. It
-## glues together and automates many associated Linux
-## tasks so you do not have to hop between lots of various
-## commands and applications when rolling out new systems,
-## and, in some cases, changing existing ones.
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
## </p>
## </desc>
@@ -15,9 +15,9 @@
## Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cobblerd_domtrans',`
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ corecmd_search_bin($1)
')
########################################
@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
########################################
## <summary>
-## Read Cobbler content in /etc
+## List Cobbler configuration.
## </summary>
## <param name="domain">
## <summary>
@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
## </summary>
## </param>
#
-interface(`cobbler_read_config',`
+interface(`cobbler_list_config',`
gen_require(`
type cobbler_etc_t;
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
')
########################################
## <summary>
-## Do not audit attempts to read and write
-## Cobbler log files (leaked fd).
+## Read Cobbler configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
## </summary>
## </param>
#
-interface(`cobbler_dontaudit_rw_log',`
+interface(`cobbler_read_config',`
gen_require(`
- type cobbler_var_log_t;
+ type cobbler_etc_t;
')
- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
')
########################################
@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
')
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
')
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an cobblerd environment
## </summary>
@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cobblerd_t, cobblerd_t)
+ allow $1 cobblerd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cobblerd_t)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, cobbler_etc_t)
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, cobbler_var_log_t)
+ apache_list_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
admin_pattern($1, httpd_cobbler_content_rw_t)
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
allow $2 system_r;
+
+ optional_policy(`
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+ tftp_search_rw_content($1)
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 0258b48..c6dcdfe 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
#
## <desc>
-## <p>
-## Allow Cobbler to modify public files
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
+## <desc>
+## <p>
+## Allow Cobbler to connect to the
+## network using TCP.
+## </p>
+## </desc>
+gen_tunable(cobbler_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow Cobbler to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Cobbler to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_nfs, false)
+
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
-type cobbler_var_lib_t;
+type cobbler_var_lib_t alias cobbler_content_t;
files_type(cobbler_var_lib_t)
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
########################################
#
# Cobbler personal policy.
#
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
+
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+allow cobblerd_t self:udp_socket create_socket_perms;
+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
+
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
+
+# Something really needs to write to cobbler.log. Ideally this should not be happening.
+allow cobblerd_t cobbler_var_log_t:file write;
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -65,44 +107,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
+corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
+corenet_tcp_sendrecv_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
dev_read_urand(cobblerd_t)
+domain_dontaudit_exec_all_entry_files(cobblerd_t)
+domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+# mtab
+files_read_etc_runtime_files(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
+files_read_boot_files(cobblerd_t)
files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
+
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
+
+logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
+selinux_dontaudit_read_fs(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
+userdom_dontaudit_use_user_terminals(cobblerd_t)
+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
+userdom_dontaudit_search_admin_dir(cobblerd_t)
+
tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
+tunable_policy(`cobbler_can_network_connect',`
+ corenet_tcp_connect_all_ports(cobblerd_t)
+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
+ corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
+ fs_manage_cifs_dirs(cobblerd_t)
+ fs_manage_cifs_files(cobblerd_t)
+ fs_manage_cifs_symlinks(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_nfs',`
+ fs_manage_nfs_dirs(cobblerd_t)
+ fs_manage_nfs_files(cobblerd_t)
+ fs_manage_nfs_symlinks(cobblerd_t)
+')
+
+optional_policy(`
+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
+ apache_search_sys_content(cobblerd_t)
+')
+
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
bind_domtrans_ndc(cobblerd_t)
bind_domtrans(cobblerd_t)
bind_initrc_domtrans(cobblerd_t)
+ bind_systemctl(cobblerd_t)
bind_manage_zone(cobblerd_t)
')
optional_policy(`
+ certmaster_exec(cobblerd_t)
+')
+
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
+ dhcpd_systemctl(cobblerd_t)
')
optional_policy(`
dnsmasq_domtrans(cobblerd_t)
dnsmasq_initrc_domtrans(cobblerd_t)
dnsmasq_write_config(cobblerd_t)
+ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
+ puppet_domtrans_puppetca(cobblerd_t)
')
optional_policy(`
@@ -110,12 +219,20 @@ optional_policy(`
')
optional_policy(`
- rsync_read_config(cobblerd_t)
- rsync_write_config(cobblerd_t)
+ rsync_exec(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
+ # cobbler creates /etc/rsync.conf if its not there.
+ rsync_filetrans_config(cobblerd_t, file)
')
optional_policy(`
- tftp_manage_rw_content(cobblerd_t)
+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
+ # 1. cobbler package installs /var/lib/tftpdir/images.
+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
########################################
@@ -124,5 +241,6 @@ optional_policy(`
#
apache_content_template(cobbler)
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc
new file mode 100644
index 0000000..9d06a27
--- /dev/null
+++ b/policy/modules/services/collectd.fc
@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
+
+/var/run/collectd\.pid gen_context(system_u:object_r:collectd_var_run_t,s0)
+
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+
diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if
new file mode 100644
index 0000000..ed13d1e
--- /dev/null
+++ b/policy/modules/services/collectd.if
@@ -0,0 +1,157 @@
+
+## <summary>policy for collectd</summary>
+
+
+########################################
+## <summary>
+## Transition to collectd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`collectd_domtrans',`
+ gen_require(`
+ type collectd_t, collectd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+
+########################################
+## <summary>
+## Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_initrc_domtrans',`
+ gen_require(`
+ type collectd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Search collectd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_search_lib',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read collectd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_read_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage collectd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_manage_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage collectd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`collectd_manage_lib_dirs',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an collectd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`collectd_admin',`
+ gen_require(`
+ type collectd_t;
+ type collectd_initrc_exec_t;
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, collectd_t)
+
+ collectd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 collectd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, collectd_var_lib_t)
+
+')
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
index 0000000..1783fe6
--- /dev/null
+++ b/policy/modules/services/collectd.te
@@ -0,0 +1,61 @@
+policy_module(collectd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type collectd_t;
+type collectd_exec_t;
+init_daemon_domain(collectd_t, collectd_exec_t)
+
+type collectd_initrc_exec_t;
+init_script_file(collectd_initrc_exec_t)
+
+type collectd_var_lib_t;
+files_type(collectd_var_lib_t)
+
+type collectd_var_run_t;
+files_pid_file(collectd_var_run_t)
+
+########################################
+#
+# collectd local policy
+#
+allow collectd_t self:process { fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file })
+
+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
+
+domain_use_interactive_fds(collectd_t)
+
+kernel_read_network_state(collectd_t)
+kernel_read_system_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
+
+files_read_etc_files(collectd_t)
+files_read_usr_files(collectd_t)
+
+fs_getattr_all_fs(collectd_t)
+
+miscfiles_read_localization(collectd_t)
+
+logging_send_syslog_msg(collectd_t)
+
+sysnet_dns_name_resolve(collectd_t)
+
+optional_policy(`
+ apache_content_template(collectd)
+
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 74505cc..6ff206b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
# colord local policy
#
allow colord_t self:capability { dac_read_search dac_override };
+dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -41,8 +42,13 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
-kernel_getattr_proc_files(colord_t)
+kernel_read_network_state(colord_t)
+kernel_read_system_state(colord_t)
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
+
+# reads *.ini files
+corecmd_exec_bin(colord_t)
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
@@ -50,6 +56,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
+dev_read_raw_memory(colord_t)
+dev_write_raw_memory(colord_t)
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
@@ -65,19 +73,31 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
+fs_search_all(colord_t)
+fs_getattr_noxattr_fs(colord_t)
+fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
+storage_getattr_fixed_disk_dev(colord_t)
+storage_getattr_removable_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
logging_send_syslog_msg(colord_t)
miscfiles_read_localization(colord_t)
sysnet_dns_name_resolve(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
+
tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(colord_t)
fs_read_nfs_files(colord_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(colord_t)
fs_read_cifs_files(colord_t)
')
@@ -89,6 +109,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
+')
+
+optional_policy(`
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
@@ -98,3 +122,9 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index fd15dfe..d33cc41 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run consolekit.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`consolekit_domtrans',`
@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
########################################
## <summary>
+## dontaudit Send and receive messages from
+## consolekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## consolekit over dbus.
## </summary>
@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
+## Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
@@ -96,3 +135,41 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+## <summary>
+## List consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the domain to read consolekit state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_read_state',`
+ gen_require(`
+ type consolekit_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index e67a003..192332a 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
########################################
#
# consolekit local policy
@@ -69,11 +72,14 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-hal_ptrace(consolekit_t)
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
')
@@ -83,6 +89,14 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
+')
+
+optional_policy(`
+ hal_ptrace(consolekit_t)
+')
+
+optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
@@ -99,6 +113,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
@@ -106,9 +124,10 @@ optional_policy(`
')
optional_policy(`
- type consolekit_tmpfs_t;
- files_tmpfs_file(consolekit_tmpfs_t)
+ shutdown_domtrans(consolekit_t)
+')
+optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
@@ -125,5 +144,6 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
index 3a6d7eb..3f0e601 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index 5220c9d..a2e6830 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
domtrans_pattern($1, corosync_exec_t, corosync_t)
')
+######################################
+## <summary>
+## Execute corosync in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_exec',`
+ gen_require(`
+ type corosync_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, corosync_exec_t)
+')
+
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 04969e5..0e76440 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
@@ -41,9 +41,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
+can_exec(corosync_t, corosync_exec_t)
+
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+allow corosync_t corosync_tmp_t:file { relabelfrom relabelto };
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
@@ -63,8 +66,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
+kernel_read_net_sysctls(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
@@ -73,6 +79,7 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -83,19 +90,44 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
+
+optional_policy(`
ccs_read_config(corosync_t)
')
optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(corosync_t)
+')
+
+optional_policy(`
+ drbd_domtrans(corosync_t)
+')
- rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+ rhcs_manage_cluster_lib_files(corosync_t)
+ rhcs_relabel_cluster_lib_files(corosync_t)
')
optional_policy(`
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 01d31f1..8e2754b 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -6,18 +6,18 @@
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
ifdef(`distro_gentoo',`
-/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
')
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 9971337..870265d 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -90,7 +90,7 @@ template(`courier_domain_template',`
## Execute the courier authentication daemon with
## a domain transition.
## </summary>
-## <param name="prefix">
+## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
@@ -109,7 +109,7 @@ interface(`courier_domtrans_authdaemon',`
## Execute the courier POP3 and IMAP server with
## a domain transition.
## </summary>
-## <param name="prefix">
+## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
@@ -127,7 +127,7 @@ interface(`courier_domtrans_pop',`
## <summary>
## Read courier config files
## </summary>
-## <param name="prefix">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -138,6 +138,7 @@ interface(`courier_read_config',`
type courier_etc_t;
')
+ files_search_etc($1)
read_files_pattern($1, courier_etc_t, courier_etc_t)
')
@@ -146,7 +147,7 @@ interface(`courier_read_config',`
## Create, read, write, and delete courier
## spool directories.
## </summary>
-## <param name="prefix">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
+ files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -165,7 +167,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
## </summary>
-## <param name="prefix">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
+ files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -183,7 +186,7 @@ interface(`courier_manage_spool_files',`
## <summary>
## Read courier spool files.
## </summary>
-## <param name="prefix">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
+ files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 838dec7..59d0f96 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -15,7 +15,7 @@ courier_domain_template(pcp)
courier_domain_template(pop)
type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
courier_domain_template(tcpd)
@@ -95,7 +95,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
miscfiles_read_localization(courier_pop_t)
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index 13d2f63..861fad7 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
init_system_domain(cpucontrol_t, cpucontrol_exec_t)
type cpucontrol_conf_t;
-files_type(cpucontrol_conf_t)
+files_config_file(cpucontrol_conf_t)
type cpuspeed_t;
type cpuspeed_exec_t;
@@ -55,10 +55,6 @@ logging_send_syslog_msg(cpucontrol_t)
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
optional_policy(`
- nscd_socket_use(cpucontrol_t)
-')
-
-optional_policy(`
rhgb_use_ptys(cpucontrol_t)
')
@@ -110,10 +106,6 @@ miscfiles_read_localization(cpuspeed_t)
userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
optional_policy(`
- nscd_socket_use(cpuspeed_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(cpuspeed_t)
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..6ea5693 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -2,6 +2,7 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
@@ -14,14 +15,15 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <<none>>
@@ -45,3 +47,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 35241ed..d972767 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
## </param>
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t, crontab_exec_t;
+ type cron_spool_t, user_cron_spool_t;
+ ')
+
##############################
#
# Declarations
@@ -31,11 +36,15 @@ template(`cron_common_crontab_template',`
# dac_override is to create the file in the directory under /tmp
allow $1_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:process { getcap setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
@@ -43,7 +52,7 @@ template(`cron_common_crontab_template',`
files_list_spool($1_t)
# crontab signals crond by updating the mtime on the spooldir
- allow $1_t cron_spool_t:dir setattr;
+ allow $1_t cron_spool_t:dir setattr_dir_perms;
kernel_read_system_state($1_t)
@@ -51,6 +60,8 @@ template(`cron_common_crontab_template',`
selinux_dontaudit_search_fs($1_t)
fs_getattr_xattr_fs($1_t)
+ fs_manage_cgroup_dirs($1_t)
+ fs_manage_cgroup_files($1_t)
domain_use_interactive_fds($1_t)
@@ -59,12 +70,16 @@ template(`cron_common_crontab_template',`
files_dontaudit_search_pids($1_t)
auth_domtrans_chk_passwd($1_t)
+ auth_rw_var_auth($1_t)
+ auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
+ init_read_state($1_t)
miscfiles_read_localization($1_t)
@@ -73,9 +88,10 @@ template(`cron_common_crontab_template',`
userdom_manage_user_tmp_dirs($1_t)
userdom_manage_user_tmp_files($1_t)
# Access terminals.
- userdom_use_user_terminals($1_t)
+ userdom_use_inherited_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
+ userdom_read_user_home_content_symlinks($1_t)
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
@@ -83,9 +99,6 @@ template(`cron_common_crontab_template',`
dontaudit $1_t crond_t:process signal;
')
- optional_policy(`
- nscd_socket_use($1_t)
- ')
')
########################################
@@ -102,10 +115,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t, crond_t;
')
role $1 types { cronjob_t crontab_t };
@@ -116,9 +131,16 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
+ allow crond_t $2:process transition;
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
+
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
+ allow $2 crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
@@ -132,9 +154,8 @@ interface(`cron_role',`
')
dbus_stub(cronjob_t)
-
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
@@ -151,29 +172,18 @@ interface(`cron_role',`
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
optional_policy(`
gen_require(`
@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
-
allow unconfined_cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`cron_admin_role',`
gen_require(`
@@ -220,7 +230,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
+ allow $2 admin_crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
@@ -234,9 +244,8 @@ interface(`cron_admin_role',`
')
dbus_stub(admin_cronjob_t)
-
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
@@ -304,7 +313,7 @@ interface(`cron_exec',`
########################################
## <summary>
-## Execute crond server in the nscd domain.
+## Execute crond server in the crond domain.
## </summary>
## <param name="domain">
## <summary>
@@ -322,6 +331,30 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
+## Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_systemctl',`
+ gen_require(`
+ type crond_unit_file_t;
+ type crond_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
@@ -377,6 +410,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
+## Read crond state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_state_crond',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
+')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## crond over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_dbus_chat_crond',`
+ gen_require(`
+ type crond_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
@@ -390,6 +464,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
+ dontaudit $1 crond_t:fd use;
dontaudit $1 crond_t:fifo_file write;
')
@@ -408,7 +483,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
- allow $1 crond_t:fifo_file { getattr read write };
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write inherited user spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+ type user_cron_spool_t;
+ ')
+
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
########################################
@@ -468,6 +579,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
+## Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+## <summary>
## Manage pid files used by cron
## </summary>
## <param name="domain">
@@ -481,6 +611,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
+ files_search_pids($1)
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
@@ -536,7 +667,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:file write;
+ allow $1 system_cronjob_t:fifo_file write;
')
########################################
@@ -554,7 +685,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -587,11 +718,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -627,7 +761,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f7583ab..86ea0ba 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
#
## <desc>
-## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
-## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
## </desc>
gen_tunable(fcron_crond, false)
@@ -31,14 +31,14 @@ type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
-files_type(cron_spool_t)
+files_spool_file(cron_spool_t)
# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
-files_type(cron_var_run_t)
+files_pid_file(cron_var_run_t)
# var/log files
type cron_log_t;
@@ -61,11 +61,17 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
+mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
@@ -79,14 +85,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -94,10 +102,6 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
@@ -106,8 +110,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
########################################
#
@@ -115,7 +131,7 @@ ubac_constrained(user_cron_spool_t)
#
# Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
@@ -125,7 +141,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
@@ -136,9 +152,9 @@ tunable_policy(`fcron_crond', `
# Cron daemon local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -187,12 +203,16 @@ fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
+corecmd_exec_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
@@ -203,11 +223,17 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -233,7 +262,7 @@ ifdef(`distro_debian',`
')
')
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
+')
+
+optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
+optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -264,6 +312,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -286,15 +336,26 @@ optional_policy(`
')
optional_policy(`
+ systemd_use_fds_logind(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')
+optional_policy(`
+ vnstatd_search_lib(crond_t)
+')
+
########################################
#
# System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+dontaudit system_cronjob_t self:capability sys_ptrace;
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+mls_file_read_to_clearance(system_cronjob_t)
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
@@ -439,6 +518,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
')
optional_policy(`
@@ -446,6 +527,14 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -456,15 +545,24 @@ optional_policy(`
')
optional_policy(`
+ livecd_read_tmp_files(system_cronjob_t)
+')
+
+optional_policy(`
lpd_list_spool(system_cronjob_t)
')
optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -480,7 +578,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
@@ -495,6 +593,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -502,7 +601,13 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
@@ -595,9 +700,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-tunable_policy(`fcron_crond', `
+tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')
diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc
new file mode 100644
index 0000000..2db6b61
--- /dev/null
+++ b/policy/modules/services/ctdbd.fc
@@ -0,0 +1,18 @@
+
+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+
+/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/log/log\.ctdb -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
+
+/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+
+
+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
index 0000000..1171f34
--- /dev/null
+++ b/policy/modules/services/ctdbd.if
@@ -0,0 +1,256 @@
+
+## <summary>policy for ctdbd</summary>
+
+########################################
+## <summary>
+## Transition to ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_domtrans',`
+ gen_require(`
+ type ctdbd_t, ctdbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+## <summary>
+## Execute ctdbd server in the ctdbd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
+ type ctdbd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read ctdbd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ctdbd_read_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+## Append to ctdbd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_append_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+## Manage ctdbd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ctdbd_manage_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+## Search ctdbd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_search_lib',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read ctdbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_read_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage ctdbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_manage_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage ctdbd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read ctdbd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_read_pid_files',`
+ gen_require(`
+ type ctdbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Connect to ctdbd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ctdbd_stream_connect',`
+ gen_require(`
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ctdbd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ctdbd_admin',`
+ gen_require(`
+ type ctdbd_t, ctdbd_initrc_exec_t;
+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
+ ')
+
+ allow $1 ctdbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ctdbd_t)
+
+ ctdbd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ctdbd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, ctdbd_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, ctdbd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, ctdbd_var_run_t)
+')
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
index 0000000..5a15b82
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
@@ -0,0 +1,114 @@
+policy_module(ctdbd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ctdbd_t;
+type ctdbd_exec_t;
+init_daemon_domain(ctdbd_t, ctdbd_exec_t)
+
+type ctdbd_initrc_exec_t;
+init_script_file(ctdbd_initrc_exec_t)
+
+type ctdbd_log_t;
+logging_log_file(ctdbd_log_t)
+
+type ctdbd_spool_t;
+files_type(ctdbd_spool_t)
+#files_spool_file(ctdbd_spool_t)
+
+type ctdbd_tmp_t;
+files_tmp_file(ctdbd_tmp_t)
+
+type ctdbd_var_lib_t;
+files_type(ctdbd_var_lib_t)
+
+type ctdbd_var_run_t;
+files_pid_file(ctdbd_var_run_t)
+
+########################################
+#
+# ctdbd local policy
+#
+
+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace };
+allow ctdbd_t self:process { setpgid signal_perms setsched };
+
+allow ctdbd_t self:fifo_file rw_fifo_file_perms;
+allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ctdbd_t self:packet_socket create_socket_perms;
+allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } )
+
+manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file})
+
+manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
+manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
+files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file })
+
+exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } )
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file })
+
+kernel_read_network_state(ctdbd_t)
+kernel_rw_net_sysctls(ctdbd_t)
+kernel_read_system_state(ctdbd_t)
+
+corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
+
+corecmd_exec_bin(ctdbd_t)
+corecmd_exec_shell(ctdbd_t)
+
+dev_read_sysfs(ctdbd_t)
+dev_read_urand(ctdbd_t)
+
+domain_use_interactive_fds(ctdbd_t)
+domain_dontaudit_read_all_domains_state(ctdbd_t)
+
+files_read_etc_files(ctdbd_t)
+files_search_all_mountpoints(ctdbd_t)
+
+logging_send_syslog_msg(ctdbd_t)
+
+miscfiles_read_localization(ctdbd_t)
+miscfiles_read_public_files(ctdbd_t)
+
+
+optional_policy(`
+ consoletype_exec(ctdbd_t)
+')
+
+optional_policy(`
+ hostname_exec(ctdbd_t)
+')
+
+optional_policy(`
+ iptables_domtrans(ctdbd_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
+ samba_rw_var_files(ctdbd_t)
+ samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index 1b492ed..c79454d 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -28,11 +28,8 @@
# keep as separate lines to ensure proper sorting
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -56,6 +53,7 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
@@ -64,10 +62,16 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 305ddf4..173cd16 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -9,6 +9,11 @@
## Domain allowed access.
## </summary>
## </param>
+## <param name="entry_file">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
#
interface(`cups_backend',`
gen_require(`
@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
@@ -314,11 +321,10 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
- type cupsd_var_run_t, ptal_etc_t;
- type ptal_var_run_t, hplip_var_run_t;
- type cupsd_initrc_exec_t;
+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
+ type ptal_var_run_t;
')
allow $1 cupsd_t:process { ptrace signal_perms };
@@ -341,15 +347,14 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
- admin_pattern($1, cupsd_spool_t)
- files_list_spool($1)
-
admin_pattern($1, cupsd_tmp_t)
files_list_tmp($1)
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
+ admin_pattern($1, hplip_etc_t)
+
admin_pattern($1, hplip_var_run_t)
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 0f28095..e6225d3 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
allow cupsd_t hplip_t:process { signal sigkill };
@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
-# Write to /var/spool/cups.
-lpd_manage_spool(cupsd_t)
-lpd_read_config(cupsd_t)
-lpd_exec_lpr(cupsd_t)
-lpd_relabel_spool(cupsd_t)
-
optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -297,8 +295,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -311,10 +311,22 @@ optional_policy(`
')
optional_policy(`
+ kerberos_manage_host_rcache(cupsd_t)
+')
+
+optional_policy(`
logrotate_domtrans(cupsd_t)
')
optional_policy(`
+ # Write to /var/spool/cups.
+ lpd_manage_spool(cupsd_t)
+ lpd_read_config(cupsd_t)
+ lpd_exec_lpr(cupsd_t)
+ lpd_relabel_spool(cupsd_t)
+')
+
+optional_policy(`
mta_send_mail(cupsd_t)
')
@@ -371,8 +383,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
@@ -393,6 +406,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
+ifdef(`hide_broken_symptoms', `
+ dev_rw_generic_chr_files(cupsd_config_t)
+')
+
files_search_all_mountpoints(cupsd_config_t)
@@ -425,11 +442,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
+userdom_read_user_tmp_symlinks(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
-lpd_read_config(cupsd_config_t)
-
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
@@ -453,6 +470,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
@@ -467,6 +488,10 @@ optional_policy(`
')
optional_policy(`
+ lpd_read_config(cupsd_config_t)
+')
+
+optional_policy(`
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
@@ -587,13 +612,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
-lpd_manage_spool(cups_pdf_t)
-
+optional_policy(`
+ lpd_manage_spool(cups_pdf_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
@@ -606,6 +635,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
+
########################################
#
# HPLIP local policy
@@ -639,7 +672,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
@@ -685,6 +718,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
logging_send_syslog_msg(hplip_t)
@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
-lpd_read_config(hplip_t)
-lpd_manage_spool(hplip_t)
+optional_policy(`
+ lpd_read_config(hplip_t)
+ lpd_manage_spool(hplip_t)
+')
optional_policy(`
dbus_system_bus_client(hplip_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index c43ff4c..6ca9a6b 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -1,5 +1,23 @@
## <summary>Concurrent versions system</summary>
+######################################
+## <summary>
+## Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cvs_dontaudit_list_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Read the CVS data and metadata.
@@ -58,9 +76,8 @@ interface(`cvs_exec',`
#
interface(`cvs_admin',`
gen_require(`
- type cvs_t, cvs_tmp_t;
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t;
- type cvs_initrc_exec_t;
')
allow $1 cvs_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 88e7e97..e18dc0b 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
#
## <desc>
-## <p>
-## Allow cvs daemon to read shadow
-## </p>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
## </desc>
gen_tunable(allow_cvs_read_shadow, false)
@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
# Local policy
#
+allow cvs_t self:capability { setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -112,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if
index 9d44538..7e9057e 100644
--- a/policy/modules/services/cyphesis.if
+++ b/policy/modules/services/cyphesis.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run cyphesis.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cyphesis_domtrans',`
diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc
index 25546bc..4def4f7 100644
--- a/policy/modules/services/cyrus.fc
+++ b/policy/modules/services/cyrus.fc
@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
-/usr/lib(64)?/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
-/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+/usr/lib/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+/usr/lib/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index a01be9d..01f2f23 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t)
corenet_tcp_bind_generic_node(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
corenet_tcp_bind_sieve_port(cyrus_t)
corenet_tcp_connect_all_ports(cyrus_t)
@@ -119,6 +120,10 @@ optional_policy(`
')
optional_policy(`
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
kerberos_keytab_template(cyrus, cyrus_t)
')
@@ -135,6 +140,7 @@ optional_policy(`
')
optional_policy(`
+ files_dontaudit_write_usr_dirs(cyrus_t)
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index a8b93c0..831ce70 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -10,7 +10,7 @@ type dante_exec_t;
init_daemon_domain(dante_t, dante_exec_t)
type dante_conf_t;
-files_type(dante_conf_t)
+files_config_file(dante_conf_t)
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
index 81eba14..d0ab56c 100644
--- a/policy/modules/services/dbus.fc
+++ b/policy/modules/services/dbus.fc
@@ -3,7 +3,6 @@
/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 1a1becd..0ca1861 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
-
- attribute session_bus_type;
+ attribute dbusd_unconfined, session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -52,8 +52,7 @@ template(`dbus_role_template',`
#
type $1_dbusd_t, session_bus_type;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ application_domain($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
@@ -62,107 +61,26 @@ template(`dbus_role_template',`
# Local policy
#
- allow $1_dbusd_t self:process { getattr sigkill signal };
- dontaudit $1_dbusd_t self:process ptrace;
- allow $1_dbusd_t self:file { getattr read write };
- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
-
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-
- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
-
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+ ps_process_pattern($3, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { ptrace signal_perms };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_dbusd_t:process sigchld;
-
- kernel_read_system_state($1_dbusd_t)
- kernel_read_kernel_sysctls($1_dbusd_t)
-
- corecmd_list_bin($1_dbusd_t)
- corecmd_read_bin_symlinks($1_dbusd_t)
- corecmd_read_bin_files($1_dbusd_t)
- corecmd_read_bin_pipes($1_dbusd_t)
- corecmd_read_bin_sockets($1_dbusd_t)
-
- corenet_all_recvfrom_unlabeled($1_dbusd_t)
- corenet_all_recvfrom_netlabel($1_dbusd_t)
- corenet_tcp_sendrecv_generic_if($1_dbusd_t)
- corenet_tcp_sendrecv_generic_node($1_dbusd_t)
- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
- corenet_tcp_bind_generic_node($1_dbusd_t)
- corenet_tcp_bind_reserved_port($1_dbusd_t)
-
- dev_read_urand($1_dbusd_t)
-
- domain_use_interactive_fds($1_dbusd_t)
- domain_read_all_domains_state($1_dbusd_t)
-
- files_read_etc_files($1_dbusd_t)
- files_list_home($1_dbusd_t)
- files_read_usr_files($1_dbusd_t)
- files_dontaudit_search_var($1_dbusd_t)
-
- fs_getattr_romfs($1_dbusd_t)
- fs_getattr_xattr_fs($1_dbusd_t)
- fs_list_inotifyfs($1_dbusd_t)
- fs_dontaudit_list_nfs($1_dbusd_t)
-
- selinux_get_fs_mount($1_dbusd_t)
- selinux_validate_context($1_dbusd_t)
- selinux_compute_access_vector($1_dbusd_t)
- selinux_compute_create_context($1_dbusd_t)
- selinux_compute_relabel_context($1_dbusd_t)
- selinux_compute_user_contexts($1_dbusd_t)
-
- auth_read_pam_console_data($1_dbusd_t)
- auth_use_nsswitch($1_dbusd_t)
-
- logging_send_audit_msgs($1_dbusd_t)
- logging_send_syslog_msg($1_dbusd_t)
-
- miscfiles_read_localization($1_dbusd_t)
-
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
- term_use_all_terms($1_dbusd_t)
-
- userdom_read_user_home_content_files($1_dbusd_t)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
- ')
-
- optional_policy(`
- hal_dbus_chat($1_dbusd_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
- ')
+ auth_use_nsswitch($1_dbusd_t)
')
#######################################
@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
- allow system_dbusd_t $1:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',`
#######################################
## <summary>
+## Creating connections to specified
+## DBUS sessions.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_session_client',`
+ gen_require(`
+ class dbus send_msg;
+ type $1_dbusd_t;
+ ')
+
+ allow $2 $1_dbusd_t:fd use;
+ allow $2 { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+#######################################
+## <summary>
## Template for creating connections to
## a user DBUS.
## </summary>
@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
+
+ allow session_bus_type $1:process sigkill;
')
########################################
@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',`
## Allow a application domain to be started
## by the session dbus.
## </summary>
+## <param name="domain_prefix">
+## <summary>
+## User domain prefix to be used.
+## </summary>
+## </param>
## <param name="domain">
## <summary>
## Type to be used as a domain.
@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
- attribute session_bus_type;
+ type $1_dbusd_t;
')
- domtrans_pattern(session_bus_type, $2, $1)
+ domtrans_pattern($1_dbusd_t, $2, $3)
- dbus_session_bus_client($1)
- dbus_connect_session_bus($1)
+ dbus_session_bus_client($3)
+ dbus_connect_session_bus($3)
')
########################################
@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
+ attribute system_bus_type;
type system_dbusd_t;
role system_r;
')
+ typeattribute $1 system_bus_type;
domain_type($1)
domain_entry_file($1, $2)
- role system_r types $1;
-
domtrans_pattern(system_dbusd_t, $2, $1)
-
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
')
########################################
@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
-## Dontaudit Read, and write system dbus TCP sockets.
+## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_unconfined',`
gen_require(`
- type system_dbusd_t;
+ attribute dbusd_unconfined;
')
- allow $1 system_dbusd_t:tcp_socket { read write };
- allow $1 system_dbusd_t:fd use;
+ typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
-## Allow unconfined access to the system DBUS.
+## Delete all dbus pid files
## </summary>
## <param name="domain">
## <summary>
@@ -491,10 +433,31 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
-interface(`dbus_unconfined',`
+interface(`dbus_delete_pid_files',`
gen_require(`
- attribute dbusd_unconfined;
+ type system_dbusd_var_run_t;
')
- typeattribute $1 dbusd_unconfined;
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dbus_dontaudit_stream_connect_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1bff6ee..9540fee 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
#
attribute dbusd_unconfined;
+attribute system_bus_type;
attribute session_bus_type;
type dbusd_etc_t;
@@ -36,6 +37,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+init_sock_file(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -52,9 +54,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -74,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
@@ -111,6 +114,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
@@ -121,7 +126,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -141,6 +148,20 @@ optional_policy(`
')
optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+ cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+ networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
@@ -151,12 +172,166 @@ optional_policy(`
')
optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+')
+
+optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
########################################
#
-# Unconfined access to this module
+# system_bus_type rules
+#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+########################################
+#
+# session_bus_type rules
#
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process { ptrace setrlimit };
+allow session_bus_type self:file { getattr read write };
+allow session_bus_type self:fifo_file rw_fifo_file_perms;
+allow session_bus_type self:dbus { send_msg acquire_svc };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
+allow session_bus_type self:netlink_selinux_socket create_socket_perms;
+
+allow session_bus_type dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+
+manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
+
+kernel_read_system_state(session_bus_type)
+kernel_read_kernel_sysctls(session_bus_type)
+
+corecmd_list_bin(session_bus_type)
+corecmd_read_bin_symlinks(session_bus_type)
+corecmd_read_bin_files(session_bus_type)
+corecmd_read_bin_pipes(session_bus_type)
+corecmd_read_bin_sockets(session_bus_type)
+
+corenet_all_recvfrom_unlabeled(session_bus_type)
+corenet_all_recvfrom_netlabel(session_bus_type)
+corenet_tcp_sendrecv_generic_if(session_bus_type)
+corenet_tcp_sendrecv_generic_node(session_bus_type)
+corenet_tcp_sendrecv_all_ports(session_bus_type)
+corenet_tcp_bind_generic_node(session_bus_type)
+corenet_tcp_bind_reserved_port(session_bus_type)
+
+dev_read_urand(session_bus_type)
+
+domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
+
+files_read_etc_files(session_bus_type)
+files_list_home(session_bus_type)
+files_read_usr_files(session_bus_type)
+files_dontaudit_search_var(session_bus_type)
+
+fs_getattr_romfs(session_bus_type)
+fs_getattr_xattr_fs(session_bus_type)
+fs_list_inotifyfs(session_bus_type)
+fs_dontaudit_list_nfs(session_bus_type)
+
+selinux_get_fs_mount(session_bus_type)
+selinux_validate_context(session_bus_type)
+selinux_compute_access_vector(session_bus_type)
+selinux_compute_create_context(session_bus_type)
+selinux_compute_relabel_context(session_bus_type)
+selinux_compute_user_contexts(session_bus_type)
+
+auth_read_pam_console_data(session_bus_type)
+
+logging_send_audit_msgs(session_bus_type)
+logging_send_syslog_msg(session_bus_type)
+
+miscfiles_read_localization(session_bus_type)
+
+seutil_read_config(session_bus_type)
+seutil_read_default_contexts(session_bus_type)
+
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(session_bus_type)
+ fs_manage_nfs_files(session_bus_type)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(session_bus_type)
+ fs_manage_cifs_files(session_bus_type)
+')
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 784753e..bf65e7d 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
- files_search_var($1)
+ files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index ec19ff4..2f84017 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -36,7 +36,7 @@ type dcc_var_t;
files_type(dcc_var_t)
type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
type dccd_t;
type dccd_exec_t;
@@ -110,7 +110,7 @@ logging_send_syslog_msg(cdcc_t)
miscfiles_read_localization(cdcc_t)
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
########################################
#
@@ -152,7 +152,7 @@ logging_send_syslog_msg(dcc_client_t)
miscfiles_read_localization(dcc_client_t)
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
optional_policy(`
amavis_read_spool_files(dcc_client_t)
@@ -197,7 +197,7 @@ logging_send_syslog_msg(dcc_dbclean_t)
miscfiles_read_localization(dcc_dbclean_t)
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
########################################
#
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
index 0a1a61b..da508f4 100644
--- a/policy/modules/services/ddclient.if
+++ b/policy/modules/services/ddclient.if
@@ -64,8 +64,8 @@ interface(`ddclient_run',`
interface(`ddclient_admin',`
gen_require(`
type ddclient_t, ddclient_etc_t, ddclient_log_t;
- type ddclient_var_t, ddclient_var_lib_t;
- type ddclient_var_run_t, ddclient_initrc_exec_t;
+ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
+ type ddclient_var_run_t;
')
allow $1 ddclient_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 24ba98a..b8d064a 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
type ddclient_log_t;
logging_log_file(ddclient_log_t)
+type ddclient_tmp_t;
+files_tmp_file(ddclient_tmp_t)
+
type ddclient_var_t;
files_type(ddclient_var_t)
@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
-allow ddclient_t ddclient_etc_t:file read_file_perms;
+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
allow ddclient_t ddclient_log_t:file manage_file_perms;
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
+
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t)
kernel_getattr_core_if(ddclient_t)
kernel_getattr_message_if(ddclient_t)
kernel_read_kernel_sysctls(ddclient_t)
+kernel_search_network_sysctl(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
+mta_send_mail(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
miscfiles_read_localization(ddclient_t)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
index 567865f..9c9e65c 100644
--- a/policy/modules/services/denyhosts.if
+++ b/policy/modules/services/denyhosts.if
@@ -13,12 +13,12 @@
## Execute a domain transition to run denyhosts.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
-interface(`denyhosts_domtrans', `
+interface(`denyhosts_domtrans',`
gen_require(`
type denyhosts_t, denyhosts_exec_t;
')
@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
## </summary>
## </param>
#
-interface(`denyhosts_initrc_domtrans', `
+interface(`denyhosts_initrc_domtrans',`
gen_require(`
type denyhosts_initrc_exec_t;
')
@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`denyhosts_admin', `
+interface(`denyhosts_admin',`
gen_require(`
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
- files_search_locks($1)
+ files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index 8ba9425..b10da2c 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
#
# DenyHosts personal policy.
#
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
corenet_sendrecv_smtp_client_packets(denyhosts_t)
dev_read_urand(denyhosts_t)
files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
+logging_send_syslog_msg(denyhosts_t)
miscfiles_read_localization(denyhosts_t)
+sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
index 418a5a0..c25fbdc 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
@@ -2,13 +2,19 @@
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
+/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
+
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index f706b99..afb61c9 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run devicekit.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`devicekit_domtrans',`
@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',`
########################################
## <summary>
+## Execute a domain transition to run devicekit_disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`devicekit_domtrans_disk',`
+ gen_require(`
+ type devicekit_disk_t, devicekit_disk_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
+########################################
+## <summary>
## Send to devicekit over a unix domain
## datagram socket.
## </summary>
@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',`
########################################
## <summary>
+## Use file descriptors for devicekit_disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_use_fds_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ ')
+
+ allow $1 devicekit_disk_t:fd use;
+')
+
+########################################
+## <summary>
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_dbus_chat_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 devicekit_disk_t:dbus send_msg;
+ dontaudit devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send signal devicekit power
## </summary>
## <param name="domain">
@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
+#######################################
+## <summary>
+## Append inherited devicekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_append_inherited_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to write the devicekit
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the domain to read devicekit_power state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_read_state_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, devicekit_power_t)
+')
+
########################################
## <summary>
## Read devicekit PID files.
@@ -139,22 +252,52 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
-## All of the rules required to administrate
-## an devicekit environment
+## Do not audit attempts to read
+## devicekit PID files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
+## Manage devicekit PID files.
+## </summary>
+## <param name="domain">
## <summary>
-## The role to be allowed to manage the devicekit domain.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="terminal">
+#
+interface(`devicekit_manage_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an devicekit environment
+## </summary>
+## <param name="domain">
## <summary>
-## The type of the user terminal.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -165,21 +308,39 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
- allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ allow $1 devicekit_t:process { ptrace signal_perms };
ps_process_pattern($1, devicekit_t)
- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+ allow $1 devicekit_disk_t:process { ptrace signal_perms };
ps_process_pattern($1, devicekit_disk_t)
- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+ allow $1 devicekit_power_t:process { ptrace signal_perms };
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, devicekit_var_lib_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, devicekit_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
+')
+
+########################################
+## <summary>
+## Transition to devicekit named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_filetrans_named_content',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..c5244c8 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
+type devicekit_var_log_t;
+logging_log_file(devicekit_var_log_t)
+
########################################
#
# DeviceKit local policy
@@ -75,10 +78,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+kernel_list_unlabeled(devicekit_disk_t)
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
@@ -97,6 +103,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
@@ -105,14 +112,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
-files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_dirs(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
+files_getattr_all_pipes(devicekit_disk_t)
+files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
+fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
@@ -127,7 +137,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
@@ -178,33 +188,53 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
+
+kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-consoletype_exec(devicekit_power_t)
-
domain_read_all_domains_state(devicekit_power_t)
dev_read_input(devicekit_power_t)
@@ -212,21 +242,29 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
+dev_getattr_all_chr_files(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
+files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
+files_dontaudit_list_mnt(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
+seutil_exec_setfiles(devicekit_power_t)
+
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
@@ -235,7 +273,12 @@ optional_policy(`
')
optional_policy(`
+ consoletype_exec(devicekit_power_t)
+')
+
+optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
+ cron_systemctl(devicekit_power_t)
')
optional_policy(`
@@ -261,14 +304,21 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_home_config(devicekit_power_t)
+')
+
+optional_policy(`
hal_domtrans_mac(devicekit_power_t)
- hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
hal_dbus_chat(devicekit_power_t)
')
optional_policy(`
+ networkmanager_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
@@ -276,9 +326,30 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(devicekit_power_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ readahead_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
')
optional_policy(`
+ usbmuxd_stream_connect(devicekit_power_t)
+')
+
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ corenet_tcp_connect_xserver_port(devicekit_power_t)
+ xserver_stream_connect(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 767e0c7..4fbde9d 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
@@ -1,8 +1,10 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 5e2cea8..7a18800 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
')
sysnet_search_dhcp_state($1)
- allow $1 dhcpd_state_t:file setattr;
+ allow $1 dhcpd_state_t:file setattr_file_perms;
')
########################################
@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
########################################
## <summary>
+## Execute dhcpd server in the dhcpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dhcpd_systemctl',`
+ gen_require(`
+ type dhcpd_unit_file_t;
+ type dhcpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, dhcpd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an dhcp environment
## </summary>
@@ -77,7 +101,7 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
@@ -96,4 +120,6 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
+
+ dhcpd_systemctl($1)
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..f90959a 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
@@ -26,9 +29,9 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
-allow dhcpd_t self:capability { net_raw sys_resource };
+allow dhcpd_t self:capability { sys_chroot net_raw setgid setuid sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
@@ -73,6 +76,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
@@ -111,6 +116,10 @@ optional_policy(`
')
optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index d2d9359..ee10625 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -73,23 +73,15 @@ files_search_var_lib(dictd_t)
# for checking for nscd
files_dontaudit_search_pids(dictd_t)
+auth_use_nsswitch(dictd_t)
+
logging_send_syslog_msg(dictd_t)
miscfiles_read_localization(dictd_t)
-sysnet_read_config(dictd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
- nis_use_ypbind(dictd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dictd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
index 0000000..c6cbc80
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.fc
@@ -0,0 +1,13 @@
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
index 0000000..332a1c9
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.if
@@ -0,0 +1,134 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
+## Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_run_exec',`
+ gen_require(`
+ type dirsrvadmin_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+ can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
+## Exec cgi programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_run_httpd_script_exec',`
+ gen_require(`
+ type httpd_dirsrvadmin_script_exec_t;
+ ')
+
+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Read dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+#######################################
+## <summary>
+## Execute admin cgi programs in caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+ gen_require(`
+ type dirsrvadmin_unconfined_script_t;
+ type dirsrvadmin_unconfined_script_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
index 0000000..de5951e
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
@@ -0,0 +1,137 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process setrlimit;
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+miscfiles_read_localization(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+ apache_domtrans(dirsrvadmin_t)
+ apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+ apache_content_template(dirsrvadmin)
+
+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
+
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
+
+ files_search_var_lib(httpd_dirsrvadmin_script_t)
+
+ sysnet_read_config(httpd_dirsrvadmin_script_t)
+
+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+ dirsrv_signal(httpd_dirsrvadmin_script_t)
+ dirsrv_signull(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
index 0000000..3aae725
--- /dev/null
+++ b/policy/modules/services/dirsrv.fc
@@ -0,0 +1,20 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
new file mode 100644
index 0000000..6fd8e9f
--- /dev/null
+++ b/policy/modules/services/dirsrv.if
@@ -0,0 +1,208 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrv_domtrans',`
+ gen_require(`
+ type dirsrv_t, dirsrv_exec_t;
+ ')
+
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+
+########################################
+## <summary>
+## Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+## Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+ gen_require(`
+ type dirsrv_var_log_t;
+ ')
+
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+ gen_require(`
+ type dirsrv_var_lib_t;
+ ')
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to dirsrv over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_stream_connect',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Allow a domain to create dirsrv pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_pid_filetrans',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+## <summary>
+## Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
+ allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+ gen_require(`
+ type dirsrv_config_t;
+ ')
+
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
+ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read dirsrv share files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+ gen_require(`
+ type dirsrv_share_t;
+ ')
+
+ allow $1 dirsrv_share_t:dir list_dir_perms;
+ allow $1 dirsrv_share_t:file read_file_perms;
+ allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
index 0000000..43c82e7
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
@@ -0,0 +1,185 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
+allow dirsrv_t self:fifo_file rw_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_unlabeled(dirsrv_t)
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_etc_files(dirsrv_t)
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+miscfiles_read_localization(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+optional_policy(`
+ apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+ dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+')
+
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+files_read_etc_files(dirsrv_snmp_t)
+files_read_usr_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+miscfiles_read_localization(dirsrv_snmp_t)
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 03b5286..fcafa0b 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -23,9 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
# Local policy for axfrdns component
#
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
files_search_var(djbdns_axfrdns_t)
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
########################################
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index dc1056c..bd60100 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -7,3 +7,5 @@
/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index b886676..ab3af9c 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -1,12 +1,14 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 9bd812b..f3c2d82 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -41,6 +41,30 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
+## Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_systemctl',`
+ gen_require(`
+ type dnsmasq_unit_file_t;
+ type dnsmasq_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
## Send dnsmasq a signal
## </summary>
## <param name="domain">
@@ -101,9 +125,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`dnsmasq_read_config',`
@@ -120,9 +144,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`dnsmasq_write_config',`
@@ -144,12 +168,12 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
-#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@@ -163,17 +187,80 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
-#
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
+ files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
########################################
## <summary>
+## Create dnsmasq pid dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_create_pid_dirs',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ files_search_pids($1)
+ create_dirs_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+## Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the directory for the object to be created.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_filetrans_named_content_fromdir',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+########################################
+## <summary>
+## Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
@@ -208,4 +295,6 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
+
+ dnsmasq_systemctl($1)
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeeba..8542225 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
########################################
#
# Local policy
@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
+kernel_request_load_module(dnsmasq_t)
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
+sysnet_dns_name_resolve(dnsmasq_t)
+
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -96,7 +103,20 @@ optional_policy(`
')
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dnsmasq_t)
+ dbus_connect_system_bus(dnsmasq_t)
+')
+
+optional_policy(`
+ networkmanager_read_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+ ppp_read_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -114,4 +134,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b..9a1dcba 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5..673f185 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -1,5 +1,24 @@
## <summary>Dovecot POP and IMAP mail server</summary>
+#######################################
+## <summary>
+## Connect to dovecot unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_stream_connect',`
+ gen_require(`
+ type dovecot_t, dovecot_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+')
+
########################################
## <summary>
## Connect to dovecot auth unix domain stream socket.
@@ -9,13 +28,13 @@
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`dovecot_stream_connect_auth',`
gen_require(`
type dovecot_auth_t, dovecot_var_run_t;
')
+ files_search_pids($1)
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
@@ -52,6 +71,7 @@ interface(`dovecot_manage_spool',`
type dovecot_spool_t;
')
+ files_search_spool($1)
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
- type dovecot_t, dovecot_etc_t, dovecot_log_t;
- type dovecot_spool_t, dovecot_var_lib_t;
- type dovecot_var_run_t;
-
- type dovecot_cert_t, dovecot_passwd_t;
- type dovecot_initrc_exec_t;
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
@@ -112,8 +130,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
- logging_list_logs($1)
- admin_pattern($1, dovecot_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
@@ -121,6 +142,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index acf6d4f..87949e8 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
-files_type(dovecot_cert_t)
+miscfiles_cert_type(dovecot_cert_t)
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
+type dovecot_deliver_tmp_t;
+files_tmp_file(dovecot_deliver_tmp_t)
+
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
@@ -36,7 +39,7 @@ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
@@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t)
# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -72,7 +75,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-allow dovecot_t dovecot_etc_t:file read_file_perms;
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
@@ -160,6 +167,15 @@ optional_policy(`
')
optional_policy(`
+ gnome_manage_data(dovecot_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
+')
+
+optional_policy(`
postgresql_stream_connect(dovecot_t)
')
@@ -180,7 +196,7 @@ optional_policy(`
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+corecmd_exec_bin(dovecot_auth_t)
+
logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)
+dev_search_sysfs(dovecot_auth_t)
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
init_rw_utmp(dovecot_auth_t)
miscfiles_read_localization(dovecot_auth_t)
@@ -236,6 +260,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
+ mysql_read_config(dovecot_auth_t)
+ mysql_tcp_connect(dovecot_auth_t)
')
optional_policy(`
@@ -243,6 +269,8 @@ optional_policy(`
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_rw_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
')
@@ -250,23 +278,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
+
+allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
+corecmd_exec_bin(dovecot_deliver_t)
+
files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
-logging_search_logs(dovecot_auth_t)
+logging_append_all_logs(dovecot_deliver_t)
miscfiles_read_localization(dovecot_deliver_t)
@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_manage_data(dovecot_deliver_t)
+')
+
+optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
+')
+
+optional_policy(`
+ postfix_use_fds_master(dovecot_deliver_t)
+')
+
+optional_policy(`
+ # Handle sieve scripts
+ sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc
new file mode 100644
index 0000000..f96c4f2
--- /dev/null
+++ b/policy/modules/services/drbd.fc
@@ -0,0 +1,9 @@
+
+/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
+
+
diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if
new file mode 100644
index 0000000..63f11d9
--- /dev/null
+++ b/policy/modules/services/drbd.if
@@ -0,0 +1,130 @@
+
+## <summary>policy for drbd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run drbd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_domtrans',`
+ gen_require(`
+ type drbd_t, drbd_exec_t;
+ ')
+
+ domtrans_pattern($1, drbd_exec_t, drbd_t)
+')
+
+########################################
+## <summary>
+## Search drbd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_search_lib',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read drbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_read_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## drbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_manage_lib_files',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage drbd lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`drbd_manage_lib_dirs',`
+ gen_require(`
+ type drbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an drbd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`drbd_admin',`
+ gen_require(`
+ type drbd_t;
+ type drbd_var_lib_t;
+ ')
+
+ allow $1 drbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, drbd_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, drbd_var_lib_t)
+
+')
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
index 0000000..3bca7b0
--- /dev/null
+++ b/policy/modules/services/drbd.te
@@ -0,0 +1,50 @@
+policy_module(drbd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type drbd_t;
+type drbd_exec_t;
+init_daemon_domain(drbd_t, drbd_exec_t)
+
+type drbd_var_lib_t;
+files_type(drbd_var_lib_t)
+
+type drbd_lock_t;
+files_lock_file(drbd_lock_t)
+
+########################################
+#
+# drbd local policy
+#
+
+allow drbd_t self:capability { kill net_admin };
+dontaudit drbd_t self:capability sys_tty_config;
+allow drbd_t self:fifo_file rw_fifo_file_perms;
+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
+allow drbd_t self:netlink_socket create_socket_perms;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } )
+
+manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
+files_lock_filetrans(drbd_t, drbd_lock_t, file)
+
+can_exec(drbd_t, drbd_exec_t)
+
+kernel_read_system_state(drbd_t)
+
+dev_read_sysfs(drbd_t)
+
+files_read_etc_files(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
+
+miscfiles_read_localization(drbd_t)
+
+sysnet_dns_name_resolve(drbd_t)
diff --git a/policy/modules/services/dspam.fc b/policy/modules/services/dspam.fc
new file mode 100644
index 0000000..cc0815b
--- /dev/null
+++ b/policy/modules/services/dspam.fc
@@ -0,0 +1,16 @@
+
+/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0)
+
+/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
+
+/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
+
+/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
+
+/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+
+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
diff --git a/policy/modules/services/dspam.if b/policy/modules/services/dspam.if
new file mode 100644
index 0000000..d7a7118
--- /dev/null
+++ b/policy/modules/services/dspam.if
@@ -0,0 +1,264 @@
+
+## <summary>policy for dspam</summary>
+
+
+########################################
+## <summary>
+## Execute a domain transition to run dspam.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_domtrans',`
+ gen_require(`
+ type dspam_t, dspam_exec_t;
+ ')
+
+ domtrans_pattern($1, dspam_exec_t, dspam_t)
+')
+
+
+########################################
+## <summary>
+## Execute dspam server in the dspam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dspam_initrc_domtrans',`
+ gen_require(`
+ type dspam_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read dspam's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dspam_read_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## dspam log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dspam_append_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage dspam log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dspam_manage_log',`
+ gen_require(`
+ type dspam_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+## Search dspam lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_search_lib',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ allow $1 dspam_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read dspam lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_read_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## dspam lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_manage_lib_files',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage dspam lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_manage_lib_dirs',`
+ gen_require(`
+ type dspam_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read dspam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_read_pid_files',`
+ gen_require(`
+ type dspam_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Connect to DSPAM using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dspam_stream_connect',`
+ gen_require(`
+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ ')
+
+ files_search_pids($1)
+ files_search_tmp($1)
+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dspam environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dspam_admin',`
+ gen_require(`
+ type dspam_t;
+ type dspam_initrc_exec_t;
+ type dspam_log_t;
+ type dspam_var_lib_t;
+ type dspam_var_run_t;
+ ')
+
+ allow $1 dspam_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dspam_t)
+
+ dspam_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 dspam_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, dspam_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, dspam_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, dspam_var_run_t)
+
+')
diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te
new file mode 100644
index 0000000..d409571
--- /dev/null
+++ b/policy/modules/services/dspam.te
@@ -0,0 +1,95 @@
+
+policy_module(dspam, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dspam_t;
+type dspam_exec_t;
+init_daemon_domain(dspam_t, dspam_exec_t)
+
+type dspam_initrc_exec_t;
+init_script_file(dspam_initrc_exec_t)
+
+type dspam_log_t;
+logging_log_file(dspam_log_t)
+
+type dspam_var_lib_t;
+files_type(dspam_var_lib_t)
+
+type dspam_var_run_t;
+files_pid_file(dspam_var_run_t)
+
+# FIXME
+# /tmp/dspam.sock
+type dspam_tmp_t;
+files_tmp_file(dspam_tmp_t)
+
+########################################
+#
+# dspam local policy
+#
+
+allow dspam_t self:capability net_admin;
+
+allow dspam_t self:process { signal };
+
+allow dspam_t self:fifo_file rw_fifo_file_perms;
+allow dspam_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t)
+manage_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
+
+manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
+manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
+
+manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
+manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
+
+manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t)
+files_tmp_filetrans(dspam_t, dspam_tmp_t, { sock_file })
+
+# need to add the port tcp/10026 to corenetwork.te.in
+#allow dspam_t port_t:tcp_socket name_connect;
+
+files_read_etc_files(dspam_t)
+
+auth_use_nsswitch(dspam_t)
+
+# for RHEL5
+libs_use_ld_so(dspam_t)
+libs_use_shared_libs(dspam_t)
+libs_read_lib_files(dspam_t)
+
+logging_send_syslog_msg(dspam_t)
+
+miscfiles_read_localization(dspam_t)
+
+sysnet_dns_name_resolve(dspam_t)
+
+optional_policy(`
+ mysql_tcp_connect(dspam_t)
+ mysql_search_db(dspam_t)
+ mysql_stream_connect(dspam_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(dspam_t)
+ postgresql_stream_connect(dspam_t)
+')
+
+#######################################
+#
+# dspam web local policy.
+#
+
+optional_policy(`
+ apache_content_template(dspam)
+
+ list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+')
+
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f066..b54de69 100644
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
@@ -1,4 +1,8 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 6bef7f8..885cd43 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run exim.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`exim_domtrans',`
@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
########################################
## <summary>
+## Execute the mailman program in the mailman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the mailman domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_run',`
+ gen_require(`
+ type exim_t;
+ ')
+
+ exim_domtrans($1)
+ role $2 types exim_t;
+')
+
+########################################
+## <summary>
+## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_initrc_domtrans',`
+ gen_require(`
+ type exim_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read,
## exim tmp files
## </summary>
@@ -101,9 +144,9 @@ interface(`exim_read_log',`
## exim log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`exim_append_log',`
@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an exim environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_admin',`
+ gen_require(`
+ type exim_t, exim_initrc_exec_t, exim_log_t;
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms };
+ ps_process_pattern($1, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, exim_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, exim_tmp_t)
+
+ files_list_spool($1)
+ admin_pattern($1, exim_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index f28f64b..9d0a5db 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
#
## <desc>
-## <p>
-## Allow exim to connect to databases (postgres, mysql)
-## </p>
+## <p>
+## Allow exim to connect to databases (PostgreSQL, MySQL)
+## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)
## <desc>
-## <p>
-## Allow exim to read unprivileged user files.
-## </p>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
## </desc>
gen_tunable(exim_read_user_files, false)
## <desc>
-## <p>
-## Allow exim to create, read, write, and delete
-## unprivileged user files.
-## </p>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
## </desc>
gen_tunable(exim_manage_user_files, false)
@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
@@ -79,7 +82,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
corecmd_search_bin(exim_t)
@@ -108,6 +111,7 @@ domain_use_interactive_fds(exim_t)
files_search_usr(exim_t)
files_search_var(exim_t)
+files_read_usr_files(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)
@@ -162,6 +166,10 @@ optional_policy(`
')
optional_policy(`
+ dovecot_stream_connect(exim_t)
+')
+
+optional_policy(`
kerberos_keytab_template(exim, exim_t)
')
@@ -171,6 +179,10 @@ optional_policy(`
')
optional_policy(`
+ nagios_search_spool(exim_t)
+')
+
+optional_policy(`
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
@@ -184,6 +196,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
')
optional_policy(`
diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc
index 0de2b83..b93171c 100644
--- a/policy/modules/services/fail2ban.fc
+++ b/policy/modules/services/fail2ban.fc
@@ -1,6 +1,7 @@
/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index f590a1f..338e5bf 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run fail2ban.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`fail2ban_domtrans',`
@@ -40,6 +40,25 @@ interface(`fail2ban_stream_connect',`
########################################
## <summary>
+## Read and write inherited temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_inherited_tmp_files',`
+ gen_require(`
+ type fail2ban_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read and write to an fail2ban unix stream socket.
## </summary>
## <param name="domain">
@@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',`
')
files_search_var_lib($1)
- allow $1 fail2ban_var_lib_t:file read_file_perms;
+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
########################################
@@ -102,9 +121,9 @@ interface(`fail2ban_read_log',`
## fail2ban log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`fail2ban_append_log',`
@@ -138,6 +157,26 @@ interface(`fail2ban_read_pid_files',`
########################################
## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an fail2ban environment
## </summary>
@@ -155,12 +194,13 @@ interface(`fail2ban_read_pid_files',`
#
interface(`fail2ban_admin',`
gen_require(`
- type fail2ban_t, fail2ban_log_t;
- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+ type fail2ban_client_t;
')
- allow $1 fail2ban_t:process { ptrace signal_perms };
- ps_process_pattern($1, fail2ban_t)
+ allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
@@ -172,4 +212,10 @@ interface(`fail2ban_admin',`
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, fail2ban_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 2a69e5e..35a2c0b 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
+type fail2ban_tmp_t;
+files_tmp_file(fail2ban_tmp_t)
+
+type fail2ban_client_t;
+type fail2ban_client_exec_t;
+init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t)
+
########################################
#
-# fail2ban local policy
+# fail2ban server local policy
#
-allow fail2ban_t self:capability { sys_tty_config };
+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
-allow fail2ban_t fail2ban_log_t:dir setattr;
+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
@@ -50,6 +57,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
+
kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
@@ -66,6 +78,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
dev_read_urand(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)
+domain_dontaudit_read_all_domains_state(fail2ban_t)
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
@@ -94,5 +107,34 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
+
+optional_policy(`
+ libs_exec_ldconfig(fail2ban_t)
+')
+
+########################################
+#
+# fail2ban client local policy
+#
+
+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+
+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+
+kernel_read_system_state(fail2ban_client_t)
+
+# python
+corecmd_exec_bin(fail2ban_client_t)
+
+# nsswitch.conf, passwd
+files_read_etc_files(fail2ban_client_t)
+files_read_usr_files(fail2ban_client_t)
+files_search_pids(fail2ban_client_t)
+
+miscfiles_read_localization(fail2ban_client_t)
diff --git a/policy/modules/services/fcoemon.fc b/policy/modules/services/fcoemon.fc
new file mode 100644
index 0000000..83279fb
--- /dev/null
+++ b/policy/modules/services/fcoemon.fc
@@ -0,0 +1,5 @@
+
+/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
+
+/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/services/fcoemon.if b/policy/modules/services/fcoemon.if
new file mode 100644
index 0000000..d827274
--- /dev/null
+++ b/policy/modules/services/fcoemon.if
@@ -0,0 +1,91 @@
+
+## <summary>policy for fcoemon</summary>
+
+########################################
+## <summary>
+## Transition to fcoemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fcoemon_domtrans',`
+ gen_require(`
+ type fcoemon_t, fcoemon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fcoemon_exec_t, fcoemon_t)
+')
+
+
+########################################
+## <summary>
+## Read fcoemon PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fcoemon_read_pid_files',`
+ gen_require(`
+ type fcoemon_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fcoemon_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Send to a fcoemon unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fcoemon_dgram_send',`
+ gen_require(`
+ type fcoemon_t;
+ ')
+
+ allow $1 fcoemon_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an fcoemon environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fcoemon_admin',`
+ gen_require(`
+ type fcoemon_t;
+ type fcoemon_var_run_t;
+ ')
+
+ allow $1 fcoemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fcoemon_t)
+
+ files_search_pids($1)
+ admin_pattern($1, fcoemon_var_run_t)
+
+')
+
diff --git a/policy/modules/services/fcoemon.te b/policy/modules/services/fcoemon.te
new file mode 100644
index 0000000..1f39a80
--- /dev/null
+++ b/policy/modules/services/fcoemon.te
@@ -0,0 +1,46 @@
+policy_module(fcoemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fcoemon_t;
+type fcoemon_exec_t;
+init_daemon_domain(fcoemon_t, fcoemon_exec_t)
+
+type fcoemon_var_run_t;
+files_pid_file(fcoemon_var_run_t)
+
+########################################
+#
+# fcoemon local policy
+#
+
+# dac_override
+# /var/rnn/fcm/fcm_clif socket is owned by root
+allow fcoemon_t self:capability { net_admin dac_override };
+allow fcoemon_t self:capability { kill };
+
+allow fcoemon_t self:fifo_file rw_fifo_file_perms;
+allow fcoemon_t self:unix_stream_socket create_stream_socket_perms;
+allow fcoemon_t self:netlink_socket create_socket_perms;
+allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file sock_file })
+
+files_read_etc_files(fcoemon_t)
+
+dev_read_sysfs(fcoemon_t)
+
+logging_send_syslog_msg(fcoemon_t)
+
+miscfiles_read_localization(fcoemon_t)
+
+optional_policy(`
+ lldpad_dgram_send(fcoemon_t)
+')
+
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index 6537214..7d64c0a 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -18,6 +18,7 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t;
')
+ allow $1 fetchmail_t:process { ptrace signal_perms };
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 3459d93..c39305a 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
userdom_dontaudit_search_user_home_dirs(fetchmail_t)
optional_policy(`
+ kerberos_use(fetchmail_t)
+')
+
+optional_policy(`
procmail_domtrans(fetchmail_t)
')
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 9b7036a..4770f61 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t)
term_getattr_all_ptys(fingerd_t)
auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
corecmd_exec_bin(fingerd_t)
corecmd_exec_shell(fingerd_t)
@@ -83,8 +84,6 @@ logging_send_syslog_msg(fingerd_t)
mta_getattr_spool(fingerd_t)
-sysnet_read_config(fingerd_t)
-
miscfiles_read_localization(fingerd_t)
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
@@ -101,14 +100,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(fingerd_t)
-')
-
-optional_policy(`
- nscd_socket_use(fingerd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(fingerd_t)
')
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
index 0000000..ba9a7a9
--- /dev/null
+++ b/policy/modules/services/firewalld.fc
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
+
+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
new file mode 100644
index 0000000..84d1768
--- /dev/null
+++ b/policy/modules/services/firewalld.if
@@ -0,0 +1,73 @@
+
+## <summary>policy for firewalld</summary>
+
+
+########################################
+## <summary>
+## Execute a domain transition to run firewalld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_domtrans',`
+ gen_require(`
+ type firewalld_t, firewalld_exec_t;
+ ')
+
+ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
+')
+
+
+########################################
+## <summary>
+## Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`firewalld_initrc_domtrans',`
+ gen_require(`
+ type firewalld_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an firewalld environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`firewalld_admin',`
+ gen_require(`
+ type firewalld_t;
+ type firewalld_initrc_exec_t;
+ ')
+
+ allow $1 firewalld_t:process { ptrace signal_perms };
+ ps_process_pattern($1, firewalld_t)
+
+ firewalld_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 firewalld_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
index 0000000..8dcd6e4
--- /dev/null
+++ b/policy/modules/services/firewalld.te
@@ -0,0 +1,68 @@
+
+policy_module(firewalld,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewalld_t;
+type firewalld_exec_t;
+init_daemon_domain(firewalld_t, firewalld_exec_t)
+
+type firewalld_initrc_exec_t;
+init_script_file(firewalld_initrc_exec_t)
+
+type firewalld_var_log_t;
+logging_log_file(firewalld_var_log_t)
+
+type firewalld_var_run_t;
+files_pid_file(firewalld_var_run_t)
+
+########################################
+#
+# firewalld local policy
+#
+dontaudit firewalld_t self:capability sys_tty_config;
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+
+# should be fixed to cooperate with systemd to create /var/run/firewalld directory
+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
+
+kernel_read_network_state(firewalld_t)
+kernel_read_system_state(firewalld_t)
+
+corecmd_exec_bin(firewalld_t)
+
+domain_use_interactive_fds(firewalld_t)
+
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
+
+logging_send_syslog_msg(firewalld_t)
+
+miscfiles_read_localization(firewalld_t)
+
+optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+')
+
+optional_policy(`
+ iptables_domtrans(firewalld_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(firewalld_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(firewalld_t)
+')
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
index ebad8c4..c02062c 100644
--- a/policy/modules/services/fprintd.if
+++ b/policy/modules/services/fprintd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run fprintd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`fprintd_domtrans',`
@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
index 7df52c7..899feaf 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
# Local policy
#
-allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:capability { sys_nice sys_ptrace };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
+allow fprintd_t self:process { getsched setsched signal };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -54,4 +54,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index 69dcd2a..80eefd3 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -6,6 +6,9 @@
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
#
# /usr
#
@@ -29,3 +32,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 9d3201b..a8ad41e 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,5 +1,67 @@
## <summary>File transfer protocol service</summary>
+######################################
+## <summary>
+## Execute a domain transition to run ftpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans',`
+ gen_require(`
+ type ftpd_t, ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+## <summary>
+## Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ftp_initrc_domtrans',`
+ gen_require(`
+ type ftpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_systemctl',`
+ gen_require(`
+ type ftpd_unit_file_t;
+ type ftpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ftpd_t)
+')
+
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
@@ -203,4 +265,6 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
+
+ ftp_systemctl($1)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 8a74a83..3bc14c3 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
+## </desc>
+gen_tunable(ftpd_connect_db, false)
+
+## <desc>
+## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
## </desc>
gen_tunable(sftpd_full_access, false)
+## <desc>
+## <p>
+## Allow internal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
########################################
#
# anon-sftp local policy
@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
+miscfiles_read_localization(anon_sftpd_t)
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@@ -196,9 +218,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
-corenet_tcp_bind_all_unreserved_ports(ftpd_t)
-corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
-corenet_tcp_connect_all_ports(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
@@ -212,13 +233,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
-auth_use_nsswitch(ftpd_t)
-auth_domtrans_chk_passwd(ftpd_t)
-# Append to /var/log/wtmp.
-auth_append_login_records(ftpd_t)
+auth_use_pam(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
+auth_manage_var_auth(ftpd_t)
init_rw_utmp(ftpd_t)
@@ -261,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_shadow(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
- userdom_manage_user_home_content_symlinks(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+ userdom_manage_user_home_content(ftpd_t)
+ userdom_manage_user_tmp_files(ftpd_t)
+ userdom_tmp_filetrans_user_tmp(ftpd_t, file)
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -309,6 +331,10 @@ optional_policy(`
')
optional_policy(`
+ fail2ban_read_lib_files(ftpd_t)
+')
+
+optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -316,6 +342,25 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_stream_connect(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ postgresql_stream_connect(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_tcp_connect(ftpd_t)
+ postgresql_tcp_connect(ftpd_t)
+ ')
+')
+
+optional_policy(`
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
@@ -347,16 +392,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
########################################
#
@@ -365,18 +411,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
+miscfiles_read_localization(sftpd_t)
+
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_home_files(sftpd_t)
+')
tunable_policy(`sftpd_enable_homedirs',`
allow sftpd_t self:capability { dac_override dac_read_search };
# allow access to /home
files_list_home(sftpd_t)
- userdom_manage_user_home_content_files(sftpd_t)
- userdom_manage_user_home_content_dirs(sftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content(sftpd_t)
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
@@ -394,7 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 99a94de..6dbc203 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
allow gatekeeper_t self:udp_socket create_socket_perms;
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
files_search_etc(gatekeeper_t)
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737..44a9663 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,17 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
+
+/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
+
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..8e83609 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,539 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+## <desc>
+## <p>
+## A really simple TCP git daemon that normally listens on
+## port DEFAULT_GIT_PORT aka 9418. It waits for a
+## connection asking for a service, and will serve that
+## service if it is enabled.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## Role access for Git daemon session.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`git_session_role',`
+ gen_require(`
+ type git_session_t, gitd_exec_t, git_session_content_t;
+ ')
+
+ ########################################
+ #
+ # Git daemon session shared declarations.
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Git daemon session shared policy.
+ #
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for Git
+## daemon shared repository content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`git_content_template',`
+ gen_require(`
+ attribute git_system_content, git_content;
+ ')
+
+ ########################################
+ #
+ # Git daemon content shared declarations.
+ #
+
+ type git_$1_content_t, git_system_content, git_content;
+ files_type(git_$1_content_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for Git
+## daemon shared repository roles.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`git_role_template',`
+ gen_require(`
+ class context contains;
+ role system_r;
+ ')
+
+ ########################################
+ #
+ # Git daemon role shared declarations.
+ #
+
+ attribute $1_usertype;
+
+ type $1_t;
+ userdom_unpriv_usertype($1, $1_t)
+ domain_type($1_t)
+
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Git daemon role shared policy.
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ kernel_read_system_state($1_t)
+
+ files_read_etc_files($1_t)
+ files_dontaudit_search_home($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_rwx_generic_system_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1_t)
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1_t)
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ ')
+
+ optional_policy(`
+ nscd_read_pid($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Allow specified domain access to the
+## specified Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## Type of the object that access is allowed to.
+## </summary>
+## </param>
+#
+interface(`git_content_delegation',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ exec_files_pattern($1, $2, $2)
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## and execute all Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_rwx_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ exec_files_pattern($1, git_content, git_content)
+ manage_dirs_pattern($1, git_content, git_content)
+ manage_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## and execute all Git daemon system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_rwx_all_system_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ exec_files_pattern($1, git_system_content, git_system_content)
+ manage_dirs_pattern($1, git_system_content, git_system_content)
+ manage_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## and execute Git daemon generic system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_rwx_generic_system_content',`
+ gen_require(`
+ type git_system_content_t;
+ ')
+
+ exec_files_pattern($1, git_system_content_t, git_system_content_t)
+ manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ manage_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## all Git daemon content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_content_files',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ list_dirs_pattern($1, git_content, git_content)
+ read_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Git daemon session content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Dontaudit the specified domain to read
+## Git daemon session content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`git_dontaudit_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ dontaudit $1 git_session_content_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## all Git daemon system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_system_content_files',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ list_dirs_pattern($1, git_system_content, git_system_content)
+ read_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Git daemon generic system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_generic_system_content_files',`
+ gen_require(`
+ type git_system_content_t;
+ ')
+
+ list_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ read_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## all Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ relabel_dirs_pattern($1, git_content, git_content)
+ relabel_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## all Git daemon system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_all_system_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ relabel_dirs_pattern($1, git_system_content, git_system_content)
+ relabel_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon generic system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_generic_system_content',`
+ gen_require(`
+ type git_system_content_t;
+ ')
+
+ relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ relabel_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon session content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_session_content',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f85..2ef543c 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,8 +1,197 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
+
+## <desc>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
########################################
#
-# Declarations
+# Git daemon global private declarations.
+#
+
+attribute git_domains;
+attribute git_system_content;
+attribute git_content;
+
+type gitd_exec_t;
+application_executable_file(gitd_exec_t)
+
+role git_shell_r;
+
+########################################
#
+# Git daemon system private declarations.
+#
+
+type git_system_t, git_domains;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
+
+type git_system_content_t, git_system_content, git_content;
+files_type(git_system_content_t)
+typealias git_system_content_t alias git_data_t;
+
+########################################
+#
+# Git daemon session private declarations.
+#
+
+## <desc>
+## <p>
+## Allow Git daemon session to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type git_session_t, git_domains;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
+allow git_domains self:tcp_socket create_socket_perms;
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
+corenet_tcp_bind_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
+
+corecmd_exec_bin(git_domains)
+
+files_read_etc_files(git_domains)
+files_read_usr_files(git_domains)
+
+fs_search_auto_mountpoints(git_domains)
+
+kernel_read_system_state(git_domains)
+
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
+
+sysnet_read_config(git_domains)
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_domains)
+')
-apache_content_template(git)
+optional_policy(`
+ nis_use_ypbind(git_domains)
+')
+
+########################################
+#
+# Git daemon system repository private policy.
+#
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
+auth_use_nsswitch(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git daemon session repository private policy.
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+auth_use_nsswitch(git_session_t)
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+userdom_use_inherited_user_terminals(git_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# cgi git Declarations
+#
+
+optional_policy(`
+ apache_content_template(git)
+ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+ auth_use_nsswitch(httpd_git_script_t)
+')
+
+########################################
+#
+# Git-shell private policy.
+#
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc
new file mode 100644
index 0000000..7d27335
--- /dev/null
+++ b/policy/modules/services/glance.fc
@@ -0,0 +1,14 @@
+
+/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
+
+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+
+/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
+
+/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0)
+
+/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0)
+
+/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
new file mode 100644
index 0000000..3b1870a
--- /dev/null
+++ b/policy/modules/services/glance.if
@@ -0,0 +1,272 @@
+
+## <summary>policy for glance</summary>
+
+
+########################################
+## <summary>
+## Transition to glance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glance_domtrans_registry',`
+ gen_require(`
+ type glance_registry_t, glance_registry_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glance_registry_exec_t, glance_registry_t)
+')
+
+########################################
+## <summary>
+## Transition to glance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glance_domtrans_api',`
+ gen_require(`
+ type glance_api_t, glance_api_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glance_api_exec_t, glance_api_t)
+')
+
+
+########################################
+## <summary>
+## Read glance's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glance_read_log',`
+ gen_require(`
+ type glance_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, glance_log_t, glance_log_t)
+')
+
+########################################
+## <summary>
+## Append to glance log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_append_log',`
+ gen_require(`
+ type glance_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, glance_log_t, glance_log_t)
+')
+
+########################################
+## <summary>
+## Manage glance log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_manage_log',`
+ gen_require(`
+ type glance_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, glance_log_t, glance_log_t)
+ manage_files_pattern($1, glance_log_t, glance_log_t)
+ manage_lnk_files_pattern($1, glance_log_t, glance_log_t)
+')
+
+########################################
+## <summary>
+## Search glance lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_search_lib',`
+ gen_require(`
+ type glance_var_lib_t;
+ ')
+
+ allow $1 glance_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read glance lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_read_lib_files',`
+ gen_require(`
+ type glance_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage glance lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_manage_lib_files',`
+ gen_require(`
+ type glance_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage glance lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_manage_lib_dirs',`
+ gen_require(`
+ type glance_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read glance PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_read_pid_files',`
+ gen_require(`
+ type glance_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, glance_var_run_t, glance_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage glance PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glance_manage_pid_files',`
+ gen_require(`
+ type glance_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, glance_var_run_t, glance_var_run_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an glance environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glance_admin',`
+ gen_require(`
+ type glance_registry_t;
+ type glance_api_t;
+ type glance_log_t;
+ type glance_var_lib_t;
+ type glance_var_run_t;
+ type glance_registry_initrc_exec_t;
+ type glance_api_initrc_exec_t;
+ ')
+
+ allow $1 glance_registry_t:process { ptrace signal_perms };
+ ps_process_pattern($1, glance_registry_t)
+
+ allow $1 glance_api_t:process { ptrace signal_perms };
+ ps_process_pattern($1, glance_api_t)
+
+ init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 glance_registry_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ init_labeled_script_domtrans($1, glance_api_initrc_exec_t)
+ role_transition $2 glance_api_initrc_exec_t system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, glance_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, glance_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, glance_var_run_t)
+
+')
+
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
index 0000000..3d67b98
--- /dev/null
+++ b/policy/modules/services/glance.te
@@ -0,0 +1,131 @@
+policy_module(glance, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type glance_registry_t;
+type glance_registry_exec_t;
+init_daemon_domain(glance_registry_t, glance_registry_exec_t)
+
+type glance_registry_initrc_exec_t;
+init_script_file(glance_registry_initrc_exec_t)
+
+type glance_registry_tmp_t;
+files_tmp_file(glance_registry_tmp_t)
+
+type glance_api_t;
+type glance_api_exec_t;
+init_daemon_domain(glance_api_t, glance_api_exec_t)
+
+type glance_api_initrc_exec_t;
+init_script_file(glance_api_initrc_exec_t)
+
+type glance_log_t;
+logging_log_file(glance_log_t)
+
+type glance_var_lib_t;
+files_type(glance_var_lib_t)
+
+type glance_tmp_t;
+files_tmp_file(glance_tmp_t)
+
+type glance_var_run_t;
+files_pid_file(glance_var_run_t)
+
+########################################
+#
+# glance-registry local policy
+#
+
+allow glance_registry_t self:fifo_file rw_fifo_file_perms;
+allow glance_registry_t self:unix_stream_socket create_stream_socket_perms;
+allow glance_registry_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
+files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+
+manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t)
+manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t)
+logging_log_filetrans(glance_registry_t, glance_log_t, { dir file })
+
+manage_dirs_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t)
+manage_files_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t)
+files_var_lib_filetrans(glance_registry_t, glance_var_lib_t, { dir file })
+
+manage_dirs_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t)
+manage_files_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t)
+files_pid_filetrans(glance_registry_t, glance_var_run_t, { dir file })
+
+kernel_read_system_state(glance_registry_t)
+
+corecmd_exec_bin(glance_registry_t)
+
+corenet_tcp_bind_generic_node(glance_registry_t)
+corenet_tcp_bind_glance_registry_port(glance_registry_t)
+
+dev_read_urand(glance_registry_t)
+
+domain_use_interactive_fds(glance_registry_t)
+
+files_read_etc_files(glance_registry_t)
+files_read_usr_files(glance_registry_t)
+
+miscfiles_read_localization(glance_registry_t)
+
+sysnet_dns_name_resolve(glance_registry_t)
+
+########################################
+#
+# glance-api local policy
+#
+
+allow glance_api_t self:fifo_file rw_fifo_file_perms;
+allow glance_api_t self:unix_stream_socket create_stream_socket_perms;
+allow glance_api_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
+can_exec(glance_api_t, glance_tmp_t)
+
+manage_dirs_pattern(glance_api_t, glance_log_t, glance_log_t)
+manage_files_pattern(glance_api_t, glance_log_t, glance_log_t)
+logging_log_filetrans(glance_api_t, glance_log_t, { dir file })
+
+manage_dirs_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t)
+manage_files_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t)
+files_var_lib_filetrans(glance_api_t, glance_var_lib_t, { dir file })
+
+manage_dirs_pattern(glance_api_t, glance_var_run_t, glance_var_run_t)
+manage_files_pattern(glance_api_t, glance_var_run_t, glance_var_run_t)
+files_pid_filetrans(glance_api_t, glance_var_run_t, { dir file })
+
+kernel_read_system_state(glance_api_t)
+
+corecmd_exec_bin(glance_api_t)
+corecmd_exec_shell(glance_api_t)
+
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
+
+dev_read_urand(glance_api_t)
+
+fs_getattr_xattr_fs(glance_api_t)
+
+domain_use_interactive_fds(glance_api_t)
+
+files_read_etc_files(glance_api_t)
+files_read_usr_files(glance_api_t)
+
+libs_exec_ldconfig(glance_api_t)
+
+miscfiles_read_localization(glance_api_t)
+
+sysnet_read_config(glance_api_t)
+
+sysnet_dns_name_resolve(glance_api_t)
+
+
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63..5df751b 100644
--- a/policy/modules/services/gnomeclock.fc
+++ b/policy/modules/services/gnomeclock.fc
@@ -1,2 +1,6 @@
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
index 671d8fd..25c7ab8 100644
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
allow $1 gnomeclock_t:dbus send_msg;
allow gnomeclock_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit send and receive messages from
+## gnomeclock over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_dontaudit_dbus_chat',`
+ gen_require(`
+ type gnomeclock_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 gnomeclock_t:dbus send_msg;
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
index 4fde46b..ab59945 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,31 @@ type gnomeclock_t;
type gnomeclock_exec_t;
dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+systemd_systemctl_domain(gnomeclock)
+
########################################
#
# gnomeclock local policy
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
-allow gnomeclock_t self:process { getattr getsched };
+allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+kernel_read_system_state(gnomeclock_t)
+
corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
files_read_etc_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
-auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
+auth_use_nsswitch(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
+ chronyd_systemctl(gnomeclock_t)
+')
+
+optional_policy(`
+ clock_domtrans(gnomeclock_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(gnomeclock_t)
')
optional_policy(`
+ consoletype_exec(gnomeclock_t)
+')
+
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+')
+
+optional_policy(`
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
+')
+
+optional_policy(`
policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
policykit_read_reload(gnomeclock_t)
')
+
+#######################################
+#
+# gnomeclock systemctl local policy
+#
+
+files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
+files_manage_etc_symlinks(gnomeclock_systemctl_t)
+
+miscfiles_read_localization(gnomeclock_systemctl_t)
+
+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
+
+optional_policy(`
+ ntp_read_unit_file(gnomeclock_systemctl_t)
+ ntp_read_state(gnomeclock_systemctl_t)
+')
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
--- a/policy/modules/services/gpm.if
+++ b/policy/modules/services/gpm.if
@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
type gpmctl_t, gpm_t;
')
- allow $1 gpmctl_t:sock_file rw_sock_file_perms;
- allow $1 gpm_t:unix_stream_socket connectto;
+ dev_list_all_dev_nodes($1)
+ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
')
########################################
@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
')
dev_list_all_dev_nodes($1)
- allow $1 gpmctl_t:sock_file getattr;
+ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
type gpmctl_t;
')
- dontaudit $1 gpmctl_t:sock_file getattr;
+ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
')
dev_list_all_dev_nodes($1)
- allow $1 gpmctl_t:sock_file setattr;
+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
')
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index a627b34..c4cfc6d 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -10,7 +10,7 @@ type gpm_exec_t;
init_daemon_domain(gpm_t, gpm_exec_t)
type gpm_conf_t;
-files_type(gpm_conf_t)
+files_config_file(gpm_conf_t)
type gpm_tmp_t;
files_tmp_file(gpm_tmp_t)
@@ -69,6 +69,7 @@ miscfiles_read_localization(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
index 03742d8..b28c4f9 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
# gpsd local policy
#
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
-allow gpsd_t self:process setsched;
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
+dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
+allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
@@ -38,14 +39,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+kernel_list_proc(gpsd_t)
+
corenet_all_recvfrom_unlabeled(gpsd_t)
corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
corenet_tcp_sendrecv_generic_node(gpsd_t)
corenet_tcp_sendrecv_all_ports(gpsd_t)
-corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_generic_node(gpsd_t)
corenet_tcp_bind_gpsd_port(gpsd_t)
+dev_read_sysfs(gpsd_t)
+dev_rw_realtime_clock(gpsd_t)
+
+domain_dontaudit_read_all_domains_state(gpsd_t)
+
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
@@ -56,6 +64,12 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
+ chronyd_rw_shm(gpsd_t)
+ chronyd_stream_connect(gpsd_t)
+ chronyd_dgram_send(gpsd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(gpsd_t)
')
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 2d0b4e1..1e40c00 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -91,7 +91,7 @@ template(`hadoop_domain_template',`
corenet_all_recvfrom_unlabeled(hadoop_$1_t)
corenet_all_recvfrom_netlabel(hadoop_$1_t)
- corenet_tcp_bind_all_nodes(hadoop_$1_t)
+ corenet_tcp_bind_generic_node(hadoop_$1_t)
corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
corenet_udp_sendrecv_generic_if(hadoop_$1_t)
corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
@@ -109,6 +109,7 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_t)
auth_domtrans_chkpwd(hadoop_$1_t)
+ auth_use_nsswitch(hadoop_$1_t)
hadoop_match_lan_spd(hadoop_$1_t)
@@ -132,10 +133,6 @@ template(`hadoop_domain_template',`
su_exec(hadoop_$1_t)
- optional_policy(`
- nscd_socket_use(hadoop_$1_t)
- ')
-
####################################
#
# Shared hadoop_$1 initrc policy.
@@ -175,8 +172,6 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_initrc_t)
files_read_usr_files(hadoop_$1_initrc_t)
- consoletype_exec(hadoop_$1_initrc_t)
-
fs_getattr_xattr_fs(hadoop_$1_initrc_t)
fs_search_cgroup_dirs(hadoop_$1_initrc_t)
@@ -184,6 +179,8 @@ template(`hadoop_domain_template',`
hadoop_exec_config(hadoop_$1_initrc_t)
+ auth_domtrans_chkpwd(hadoop_$1_initrc_t)
+
init_rw_utmp(hadoop_$1_initrc_t)
init_use_fds(hadoop_$1_initrc_t)
init_use_script_ptys(hadoop_$1_initrc_t)
@@ -196,8 +193,9 @@ template(`hadoop_domain_template',`
userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
optional_policy(`
- nscd_socket_use(hadoop_$1_initrc_t)
+ consoletype_exec(hadoop_$1_initrc_t)
')
+
')
########################################
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 7d3a469..3889dc9 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -161,24 +161,16 @@ files_read_usr_files(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
-miscfiles_read_localization(hadoop_t)
+auth_use_nsswitch(hadoop_t)
-sysnet_read_config(hadoop_t)
+miscfiles_read_localization(hadoop_t)
-userdom_use_user_terminals(hadoop_t)
+userdom_use_inherited_user_terminals(hadoop_t)
java_exec(hadoop_t)
kerberos_use(hadoop_t)
-optional_policy(`
- nis_use_ypbind(hadoop_t)
-')
-
-optional_policy(`
- nscd_socket_use(hadoop_t)
-')
-
########################################
#
# Hadoop datanode policy.
@@ -341,19 +333,17 @@ domain_use_interactive_fds(zookeeper_t)
files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)
+auth_use_nsswitch(zookeeper_t)
+
miscfiles_read_localization(zookeeper_t)
sysnet_read_config(zookeeper_t)
-userdom_use_user_terminals(zookeeper_t)
+userdom_use_inherited_user_terminals(zookeeper_t)
userdom_dontaudit_search_user_home_dirs(zookeeper_t)
java_exec(zookeeper_t)
-optional_policy(`
- nscd_socket_use(zookeeper_t)
-')
-
########################################
#
# Hadoop zookeeper server policy.
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index c98b0df..3b1a051 100644
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
@@ -18,13 +18,9 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
-/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
-/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
-
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 7cf6763..ce32fe5 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -51,6 +51,7 @@ interface(`hal_read_state',`
type hald_t;
')
+ kernel_search_proc($1)
ps_process_pattern($1, hald_t)
')
@@ -87,7 +88,7 @@ interface(`hal_use_fds',`
type hald_t;
')
- allow $1 hald_t:fd use;
+ allow $1 hald_t:fd use;
')
########################################
@@ -105,7 +106,7 @@ interface(`hal_dontaudit_use_fds',`
type hald_t;
')
- dontaudit $1 hald_t:fd use;
+ dontaudit $1 hald_t:fd use;
')
########################################
@@ -124,7 +125,7 @@ interface(`hal_rw_pipes',`
type hald_t;
')
- allow $1 hald_t:fifo_file rw_fifo_file_perms;
+ allow $1 hald_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -143,7 +144,7 @@ interface(`hal_dontaudit_rw_pipes',`
type hald_t;
')
- dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',`
########################################
## <summary>
+## Do not audit attempts to read
+## hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_read_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read/Write hald PID files.
## </summary>
## <param name="domain">
@@ -431,3 +451,25 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_leaks',`
+ gen_require(`
+ type hald_log_t, hald_t, hald_var_run_t;
+ ')
+
+ dontaudit $1 hald_t:fd use;
+ dontaudit $1 hald_log_t:file rw_inherited_file_perms;
+ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit hald_t $1:socket_class_set { read write };
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 24c6253..0771a37 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
########################################
#
# Local policy
@@ -99,7 +102,7 @@ kernel_read_fs_sysctls(hald_t)
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
-kernel_search_network_sysctl(hald_t)
+kernel_rw_net_sysctls(hald_t)
kernel_setsched(hald_t)
kernel_request_load_module(hald_t)
@@ -125,6 +128,7 @@ dev_rw_printer(hald_t)
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_files(hald_t)
+dev_manage_generic_blk_files(hald_t)
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
@@ -140,6 +144,7 @@ domain_dontaudit_ptrace_all_domains(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
+files_read_etc_runtime_files(hald_t)
files_rw_etc_runtime_files(hald_t)
files_manage_mnt_dirs(hald_t)
files_manage_mnt_files(hald_t)
@@ -186,8 +191,6 @@ term_use_unallocated_ttys(hald_t)
auth_use_nsswitch(hald_t)
-fstools_getattr_swap_files(hald_t)
-
init_domtrans_script(hald_t)
init_read_utmp(hald_t)
#hal runs shutdown, probably need a shutdown domain
@@ -204,20 +207,25 @@ logging_search_logs(hald_t)
miscfiles_read_localization(hald_t)
miscfiles_read_hwdata(hald_t)
-modutils_domtrans_insmod(hald_t)
-modutils_read_module_deps(hald_t)
-
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
-sysnet_read_config(hald_t)
+sysnet_delete_dhcpc_pid(hald_t)
sysnet_domtrans_dhcpc(hald_t)
sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_config(hald_t)
sysnet_read_dhcp_config(hald_t)
+sysnet_read_dhcpc_pid(hald_t)
+sysnet_signal_dhcpc(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
+userdom_stream_connect(hald_t)
+
+optional_policy(`
+ netutils_domtrans(hald_t)
+')
optional_policy(`
alsa_domtrans(hald_t)
@@ -252,8 +260,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client(hald_t)
- dbus_connect_system_bus(hald_t)
+ dbus_system_domain(hald_t, hald_exec_t)
init_dbus_chat_script(hald_t)
@@ -263,15 +270,28 @@ optional_policy(`
')
optional_policy(`
+ # for pm-suspend.lock in /var/run/pm-utils/
+ devicekit_manage_pid_files(hald_t)
+')
+
+optional_policy(`
# For /usr/libexec/hald-probe-smbios
dmidecode_domtrans(hald_t)
')
optional_policy(`
+ gnome_read_config(hald_t)
+')
+
+optional_policy(`
gpm_dontaudit_getattr_gpmctl(hald_t)
')
optional_policy(`
+ fstools_getattr_swap_files(hald_t)
+')
+
+optional_policy(`
hotplug_read_config(hald_t)
')
@@ -280,6 +300,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(hald_t)
+ modutils_read_module_deps(hald_t)
+')
+
+optional_policy(`
mount_domtrans(hald_t)
')
@@ -302,7 +327,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(hald_t)
+ policykit_dbus_chat(hald_t)
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
@@ -318,6 +343,10 @@ optional_policy(`
')
optional_policy(`
+ shutdown_domtrans(hald_t)
+')
+
+optional_policy(`
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
@@ -338,6 +367,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
+optional_policy(`
+ xserver_read_pid(hald_t)
+')
+
########################################
#
# Hal acl local policy
@@ -358,6 +391,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
corecmd_exec_bin(hald_acl_t)
@@ -388,7 +422,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
- policykit_dbus_chat(hald_acl_t)
+ policykit_dbus_chat(hald_acl_t)
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
@@ -470,6 +504,12 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
+optional_policy(`
+ # This is caused by a bug in hald and PolicyKit.
+ # Should be removed when this is fixed
+ cron_read_system_job_lib_files(hald_t)
+')
+
########################################
#
# Local hald dccm policy
@@ -524,7 +564,9 @@ files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
-hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+')
optional_policy(`
dbus_system_bus_client(hald_dccm_t)
diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
index 87b4531..db2d189 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -69,9 +69,5 @@ interface(`hddtemp_admin',`
allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
- files_search_etc($1)
-
- allow $1 hddtemp_t:dir list_dir_perms;
- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
- kernel_search_proc($1)
+ files_list_etc($1)
')
diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
index c234b32..6c0a73d 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -38,12 +38,16 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-files_search_etc(hddtemp_t)
+files_read_etc_files(hddtemp_t)
files_read_usr_files(hddtemp_t)
storage_raw_read_fixed_disk(hddtemp_t)
+storage_raw_read_removable_device(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)
+optional_policy(`
+ sysnet_dns_name_resolve(hddtemp_t)
+')
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index ecab47a..40affd8 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run icecast.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`icecast_domtrans',`
@@ -118,9 +118,9 @@ interface(`icecast_read_log',`
## icecast log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`icecast_append_log',`
@@ -173,6 +173,7 @@ interface(`icecast_admin',`
type icecast_t, icecast_initrc_exec_t;
')
+ allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
# Allow icecast_t to restart the apache service
@@ -182,7 +183,5 @@ interface(`icecast_admin',`
allow $2 system_r;
icecast_manage_pid_files($1)
-
icecast_manage_log($1)
-
')
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index fdb7e9a..1c02a45 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
+## </desc>
+gen_tunable(icecast_connect_any, false)
+
type icecast_t;
type icecast_exec_t;
init_daemon_domain(icecast_t, icecast_exec_t)
@@ -31,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
-logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
kernel_read_system_state(icecast_t)
corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
+
+tunable_policy(`icecast_connect_any',`
+ corenet_tcp_connect_all_ports(icecast_t)
+ corenet_tcp_bind_all_ports(icecast_t)
+ corenet_sendrecv_all_client_packets(icecast_t)
+')
# Init script handling
domain_use_interactive_fds(icecast_t)
diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
index dfb4232..7665429 100644
--- a/policy/modules/services/ifplugd.if
+++ b/policy/modules/services/ifplugd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ifplugd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ifplugd_domtrans',`
@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
#
interface(`ifplugd_admin',`
gen_require(`
- type ifplugd_t, ifplugd_etc_t;
- type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
+ type ifplugd_initrc_exec_t;
')
allow $1 ifplugd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
index 978c32f..81c5ca2 100644
--- a/policy/modules/services/ifplugd.te
+++ b/policy/modules/services/ifplugd.te
@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
# config files
type ifplugd_etc_t;
-files_type(ifplugd_etc_t)
+files_config_file(ifplugd_etc_t)
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
@@ -54,7 +54,7 @@ corecmd_exec_bin(ifplugd_t)
# reading of hardware information
dev_read_sysfs(ifplugd_t)
-domain_read_confined_domains_state(ifplugd_t)
+domain_read_all_domains_state(ifplugd_t)
domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index df48e5e..878d9df 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
')
########################################
@@ -55,7 +59,6 @@ interface(`inetd_core_service_domain',`
## </param>
#
interface(`inetd_tcp_service_domain',`
-
gen_require(`
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index c51a7b2..5f71f35 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -149,7 +149,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
+mls_net_outbound_all_levels(inetd_t)
mls_process_set_level(inetd_t)
+#706086
+mls_net_outbound_all_levels(inetd_t)
sysnet_read_config(inetd_t)
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
index 8ca038d..8507ee2 100644
--- a/policy/modules/services/inn.fc
+++ b/policy/modules/services/inn.fc
@@ -19,45 +19,43 @@
/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
-/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
# cjp: split these to fix an ordering
# problem with a match in corecommands
/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index ebc9e0d..a0c625d 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -13,7 +13,7 @@
#
interface(`inn_exec',`
gen_require(`
- type innd_t;
+ type innd_exec_t;
')
can_exec($1, innd_exec_t)
@@ -93,6 +93,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
+ files_search_etc($1)
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
+ files_search_spool($1)
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -195,8 +198,8 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
- type news_spool_t, innd_var_lib_t;
- type innd_var_run_t, innd_initrc_exec_t;
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
+ type innd_initrc_exec_t;
')
allow $1 innd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 9fab1dc..2462aa7 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
#
# Declarations
#
+
type innd_t;
type innd_exec_t;
init_daemon_domain(innd_t, innd_exec_t)
@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
files_mountpoint(news_spool_t)
+files_spool_file(news_spool_t)
########################################
#
# Local policy
#
+
allow innd_t self:capability { dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
can_exec(innd_t, innd_exec_t)
manage_files_pattern(innd_t, innd_log_t, innd_log_t)
-allow innd_t innd_log_t:dir setattr;
+allow innd_t innd_log_t:dir setattr_dir_perms;
logging_log_filetrans(innd_t, innd_log_t, file)
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
-files_pid_filetrans(innd_t, innd_var_run_t, file)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
@@ -105,6 +108,7 @@ sysnet_read_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
mta_send_mail(innd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index 9aeeaf9..28fdfc5 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -19,6 +19,11 @@ files_pid_file(irqbalance_var_run_t)
allow irqbalance_t self:capability { setpcap net_admin };
dontaudit irqbalance_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit irqbalance_t self:capability sys_module;
+')
+
allow irqbalance_t self:process { getcap setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 4c9acec..9a9ca2a 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -1,6 +1,18 @@
-/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
+# pyicq-t
+
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
+
+/var/log/pyicq-t\.log gen_context(system_u:object_r:pyicqt_log_t,s0)
+
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
index 9878499..81fcd0f 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -1,8 +1,109 @@
## <summary>Jabber instant messaging server</summary>
-########################################
+#####################################
## <summary>
-## Connect to jabber over a TCP socket (Deprecated)
+## Creates types and rules for a basic
+## jabber init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`jabber_domain_template',`
+ gen_require(`
+ attribute jabberd_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, jabberd_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run jabberd services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd',`
+ gen_require(`
+ type jabberd_t, jabberd_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd_router',`
+ gen_require(`
+ type jabberd_router_t, jabberd_router_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+## <summary>
+## Read jabberd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jabberd_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## jabberd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -10,8 +111,13 @@
## </summary>
## </param>
#
-interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
########################################
@@ -33,24 +139,21 @@ interface(`jabber_tcp_connect',`
#
interface(`jabber_admin',`
gen_require(`
- type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
- type jabberd_var_run_t, jabberd_initrc_exec_t;
+ type jabberd_t, jabberd_var_lib_t;
+ type jabberd_initrc_exec_t, jabberd_router_t;
')
allow $1 jabberd_t:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_t)
+ allow $1 jabberd_router_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_router_t)
+
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
- logging_list_logs($1)
- admin_pattern($1, jabberd_log_t)
-
files_list_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
-
- files_list_pids($1)
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index da2127e..a666df2 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0)
# Declarations
#
-type jabberd_t;
-type jabberd_exec_t;
-init_daemon_domain(jabberd_t, jabberd_exec_t)
+attribute jabberd_domain;
+
+jabber_domain_template(jabberd)
+jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
+# type which includes log/pid files pro jabberd components
type jabberd_var_lib_t;
files_type(jabberd_var_lib_t)
-type jabberd_var_run_t;
-files_pid_file(jabberd_var_run_t)
+# pyicq-t types
+type pyicqt_log_t;
+logging_log_file(pyicqt_log_t);
-########################################
+type pyicqt_var_spool_t;
+files_spool_file(pyicqt_var_spool_t)
+
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
+
+######################################
#
-# Local policy
+# Local policy for jabberd-router and c2s components
#
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file read_fifo_file_perms;
-allow jabberd_t self:tcp_socket create_stream_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
-
-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
-
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
-
-kernel_read_kernel_sysctls(jabberd_t)
-kernel_list_proc(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
-
-corenet_all_recvfrom_unlabeled(jabberd_t)
-corenet_all_recvfrom_netlabel(jabberd_t)
-corenet_tcp_sendrecv_generic_if(jabberd_t)
-corenet_udp_sendrecv_generic_if(jabberd_t)
-corenet_tcp_sendrecv_generic_node(jabberd_t)
-corenet_udp_sendrecv_generic_node(jabberd_t)
-corenet_tcp_sendrecv_all_ports(jabberd_t)
-corenet_udp_sendrecv_all_ports(jabberd_t)
-corenet_tcp_bind_generic_node(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+fs_getattr_all_fs(jabberd_router_t)
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
+miscfiles_read_generic_certs(jabberd_router_t)
-domain_use_interactive_fds(jabberd_t)
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
+#####################################
+#
+# Local policy for other jabberd components
+#
-logging_send_syslog_msg(jabberd_t)
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-miscfiles_read_localization(jabberd_t)
+kernel_read_system_state(jabberd_t)
-sysnet_read_config(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_user_home_dirs(jabberd_t)
optional_policy(`
- nis_use_ypbind(jabberd_t)
+ seutil_sigchld_newrole(jabberd_t)
')
optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
+ udev_read_db(jabberd_t)
')
+######################################
+#
+# Local policy for pyicq-t
+#
+
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
+
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
+
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
+
+kernel_read_system_state(pyicqt_t)
+
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
+
+corecmd_exec_bin(pyicqt_t)
+
+dev_read_urand(pyicqt_t);
+
+files_read_usr_files(pyicqt_t)
+
+auth_use_nsswitch(pyicqt_t);
+
+# for RHEL5
+libs_use_ld_so(pyicqt_t)
+libs_use_shared_libs(pyicqt_t)
+
+# needed for pyicq-t-mysql
optional_policy(`
- udev_read_db(jabberd_t)
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
+
+optional_policy(`
+ sysnet_use_ldap(pyicqt_t)
+')
+
+#######################################
+#
+# Local policy for jabberd domains
+#
+
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
+
+dev_read_urand(jabberd_domain)
+dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
+
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
+
+logging_send_syslog_msg(jabberd_domain)
+
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 3525d24..e065744 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kadmin -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
@@ -30,4 +30,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 604f67b..e515121 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
## Execute kadmind in the current domain
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`kerberos_exec_kadmind',`
@@ -44,9 +44,9 @@ interface(`kerberos_exec_kadmind',`
## Execute a domain transition to run kpropd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`kerberos_domtrans_kpropd',`
@@ -69,8 +69,7 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
- type krb5_conf_t, krb5kdc_conf_t;
- type krb5_host_rcache_t;
+ type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t;
')
files_search_etc($1)
@@ -103,7 +102,8 @@ interface(`kerberos_use',`
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
- allow $1 krb5_host_rcache_t:file getattr;
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
+## Create keytab file in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_etc_filetrans_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
+')
+
+########################################
+## <summary>
## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
- allow $2 $1_keytab_t:file read_file_perms;
+ allow $2 $1_keytab_t:file read_file_perms;
kerberos_read_keytab($2)
kerberos_use($2)
@@ -289,35 +308,14 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
')
########################################
## <summary>
-## Connect to krb524 service
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
- corenet_sendrecv_kerberos_master_client_packets($1)
- ')
-')
-
-########################################
-## <summary>
## All of the rules required to administrate
## an kerberos environment
## </summary>
@@ -338,9 +336,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
type krb5kdc_var_run_t, krb5_host_rcache_t;
- type kpropd_t;
')
allow $1 kadmind_t:process { ptrace signal_perms };
@@ -378,3 +375,108 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
+
+########################################
+## <summary>
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_tmp_filetrans_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+')
+
+########################################
+## <summary>
+## read kerberos homedir content (.k5login)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
+')
+
+########################################
+## <summary>
+## create kerberos content in the in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+ type kerberos_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, kerberos_home_t, file, ".k5login")
+')
+
+########################################
+## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type kerberos_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, kerberos_home_t, file, ".k5login")
+')
+
+########################################
+## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
+ kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..92dde2c 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
#
## <desc>
-## <p>
-## Allow confined applications to run with kerberos.
-## </p>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
## </desc>
gen_tunable(allow_kerberos, false)
@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
-files_type(krb5_conf_t)
+files_config_file(krb5_conf_t)
type krb5_home_t;
userdom_user_home_content(krb5_home_t)
-type krb5_host_rcache_t;
+type krb5_host_rcache_t alias saslauthd_tmp_t;
files_tmp_file(krb5_host_rcache_t)
# types for general configuration files in /etc
@@ -49,10 +49,10 @@ files_security_file(krb5_keytab_t)
# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
+files_config_file(krb5kdc_conf_t)
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
# types for KDC principal file(s)
type krb5kdc_principal_t;
@@ -80,7 +80,7 @@ files_pid_file(krb5kdc_var_run_t)
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process { setfscreate signal_perms };
+allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
@@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
corenet_tcp_bind_reserved_port(kadmind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
dev_read_sysfs(kadmind_t)
dev_read_rand(kadmind_t)
@@ -149,17 +152,25 @@ selinux_validate_context(kadmind_t)
logging_send_syslog_msg(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t)
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
-sysnet_read_config(kadmind_t)
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_user_home_dirs(kadmind_t)
optional_policy(`
+ ldap_stream_connect(kadmind_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(kadmind_t)
+')
+
+optional_policy(`
nis_use_ypbind(kadmind_t)
')
@@ -193,13 +204,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
@@ -249,17 +259,25 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
+miscfiles_read_generic_certs(krb5kdc_t)
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
-sysnet_read_config(krb5kdc_t)
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
optional_policy(`
+ ldap_stream_connect(krb5kdc_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(krb5kdc_t)
+')
+
+optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if
index 835b16b..dd32883 100644
--- a/policy/modules/services/kerneloops.if
+++ b/policy/modules/services/kerneloops.if
@@ -5,15 +5,14 @@
## Execute a domain transition to run kerneloops.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`kerneloops_domtrans',`
gen_require(`
- type kerneloops_t;
- type kerneloops_exec_t;
+ type kerneloops_t, kerneloops_exec_t;
')
domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
@@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -111,5 +109,6 @@ interface(`kerneloops_admin',`
role_transition $2 kerneloops_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
')
diff --git a/policy/modules/services/keyboardd.fc b/policy/modules/services/keyboardd.fc
new file mode 100644
index 0000000..485aacc
--- /dev/null
+++ b/policy/modules/services/keyboardd.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if
new file mode 100644
index 0000000..6134ef2
--- /dev/null
+++ b/policy/modules/services/keyboardd.if
@@ -0,0 +1,39 @@
+
+## <summary>policy for system-setup-keyboard daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run keyboard setup daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keyboardd_domtrans',`
+ gen_require(`
+ type keyboardd_t, keyboardd_exec_t;
+ ')
+
+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
+######################################
+## <summary>
+## Allow attempts to read to
+## keyboardd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`keyboardd_read_pipes',`
+ gen_require(`
+ type keyboardd_t;
+ ')
+
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
+')
diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te
new file mode 100644
index 0000000..21e49e3
--- /dev/null
+++ b/policy/modules/services/keyboardd.te
@@ -0,0 +1,26 @@
+
+policy_module(keyboardd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type keyboardd_t;
+type keyboardd_exec_t;
+init_daemon_domain(keyboardd_t, keyboardd_exec_t)
+
+########################################
+#
+# keyboardd local policy
+#
+
+allow keyboardd_t self:fifo_file rw_fifo_file_perms;
+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
+
+files_manage_etc_runtime_files(keyboardd_t)
+files_etc_filetrans_etc_runtime(keyboardd_t, file)
+
+files_read_etc_files(keyboardd_t)
+
+miscfiles_read_localization(keyboardd_t)
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835..8360166 100644
--- a/policy/modules/services/ksmtuned.fc
+++ b/policy/modules/services/ksmtuned.fc
@@ -3,3 +3,5 @@
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
index 6fd0b4c..b733e45 100644
--- a/policy/modules/services/ksmtuned.if
+++ b/policy/modules/services/ksmtuned.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ksmtuned.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ksmtuned_domtrans',`
@@ -55,12 +55,11 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
')
allow $1 ksmtuned_t:process { ptrace signal_perms };
- ps_process_pattern(ksmtumed_t)
+ ps_process_pattern($1, ksmtuned_t)
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
@@ -70,5 +69,4 @@ interface(`ksmtuned_admin',`
domain_system_change_exemption($1)
role_transition $2 ksmtuned_initrc_exec_t system_r;
allow $2 system_r;
-
')
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
index a73b7a1..2fcd590 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+type ksmtuned_log_t;
+logging_log_file(ksmtuned_log_t)
+
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
@@ -23,6 +26,10 @@ files_pid_file(ksmtuned_var_run_t)
allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
allow ksmtuned_t self:fifo_file rw_file_perms;
+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
+
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
@@ -31,9 +38,19 @@ kernel_read_system_state(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
corecmd_exec_bin(ksmtuned_t)
+corecmd_exec_shell(ksmtuned_t)
files_read_etc_files(ksmtuned_t)
+mls_file_read_to_clearance(ksmtuned_t)
+
+term_use_all_inherited_terms(ksmtuned_t)
+
+auth_use_nsswitch(ksmtuned_t)
+
+logging_send_syslog_msg(ksmtuned_t)
+
miscfiles_read_localization(ksmtuned_t)
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index ca5cfdf..554ad30 100644
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -68,7 +68,7 @@ fs_getattr_xattr_fs(ktalkd_t)
files_read_etc_files(ktalkd_t)
term_search_ptys(ktalkd_t)
-term_use_all_terms(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
new file mode 100644
index 0000000..76d879e
--- /dev/null
+++ b/policy/modules/services/l2tpd.fc
@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+
+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+
+/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
index 0000000..5783d58
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
@@ -0,0 +1,115 @@
+
+## <summary>policy for l2tpd</summary>
+
+########################################
+## <summary>
+## Transition to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`l2tpd_domtrans',`
+ gen_require(`
+ type l2tpd_t, l2tpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
+
+########################################
+## <summary>
+## Execute l2tpd server in the l2tpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_initrc_domtrans',`
+ gen_require(`
+ type l2tpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Read l2tpd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_read_pid_files',`
+ gen_require(`
+ type l2tpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write l2tpd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`l2tpd_rw_pipes',`
+ gen_require(`
+ type l2tpd_t;
+ ')
+
+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an l2tpd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`l2tpd_admin',`
+ gen_require(`
+ type l2tpd_t;
+ type l2tpd_initrc_exec_t;
+ type l2tpd_var_run_t;
+ ')
+
+ allow $1 l2tpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, l2tpd_t)
+
+ l2tpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 l2tpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, l2tpd_var_run_t)
+')
+
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
index 0000000..4aac893
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
@@ -0,0 +1,56 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type l2tpd_t;
+type l2tpd_exec_t;
+init_daemon_domain(l2tpd_t, l2tpd_exec_t)
+
+type l2tpd_initrc_exec_t;
+init_script_file(l2tpd_initrc_exec_t)
+
+type l2tpd_tmp_t;
+files_tmp_file(l2tpd_tmp_t)
+
+type l2tpd_var_run_t;
+files_pid_file(l2tpd_var_run_t)
+
+########################################
+#
+# l2tpd local policy
+#
+allow l2tpd_t self:capability net_bind_service;
+allow l2tpd_t self:process signal;
+
+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
+allow l2tpd_t self:tcp_socket create_stream_socket_perms;
+
+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+
+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
+
+corenet_tcp_bind_generic_node(l2tpd_t)
+corenet_udp_bind_generic_node(l2tpd_t)
+corenet_udp_bind_generic_port(l2tpd_t)
+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
+
+dev_read_urand(l2tpd_t)
+
+domain_use_interactive_fds(l2tpd_t)
+
+files_read_etc_files(l2tpd_t)
+
+logging_send_syslog_msg(l2tpd_t)
+
+miscfiles_read_localization(l2tpd_t)
+
+sysnet_dns_name_resolve(l2tpd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..f8a4301 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,10 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -15,3 +19,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 3aa8fa7..2a407cd 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,65 @@
## <summary>OpenLDAP directory server</summary>
+#######################################
+## <summary>
+## Execute OpenLDAP in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_domtrans',`
+ gen_require(`
+ type slapd_t, slapd_exec_t;
+ ')
+
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+## <summary>
+## Execute OpenLDAP server in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_initrc_domtrans',`
+ gen_require(`
+ type slapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute slapd server in the slapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ldap_systemctl',`
+ gen_require(`
+ type slapd_unit_file_t;
+ type slapd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, slapd_t)
+')
+
########################################
## <summary>
## Read the contents of the OpenLDAP
@@ -21,6 +81,25 @@ interface(`ldap_list_db',`
########################################
## <summary>
+## Read the contents of the OpenLDAP
+## database files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_read_db_files',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
+########################################
+## <summary>
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
@@ -69,8 +148,7 @@ interface(`ldap_stream_connect',`
')
files_search_pids($1)
- allow $1 slapd_var_run_t:sock_file write;
- allow $1 slapd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
')
########################################
@@ -110,6 +188,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
+ files_list_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
@@ -117,4 +196,6 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 64fd1ff..211180e 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
init_daemon_domain(slapd_t, slapd_exec_t)
type slapd_cert_t;
-files_type(slapd_cert_t)
+miscfiles_cert_type(slapd_cert_t)
type slapd_db_t;
files_type(slapd_db_t)
@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
type slapd_lock_t;
files_lock_file(slapd_lock_t)
type slapd_replog_t;
files_type(slapd_replog_t)
+type slapd_log_t;
+logging_log_file(slapd_log_t)
+
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
+type slapd_tmpfs_t;
+files_tmpfs_file(slapd_tmpfs_t)
+
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
@@ -67,13 +76,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
+
+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
-files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
+files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..81d98b3 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
- allow $1_t likewise_var_lib_t:dir setattr;
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 5037e06..18dc6e5 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -17,7 +17,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
type likewise_pstore_lock_t;
-files_type(likewise_pstore_lock_t)
+files_lock_file(likewise_pstore_lock_t)
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
# Likewise DC location service local policy
#
-allow netlogond_t self:capability {dac_override};
+allow netlogond_t self:capability dac_override;
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
index 49e04e5..69db026 100644
--- a/policy/modules/services/lircd.fc
+++ b/policy/modules/services/lircd.fc
@@ -2,6 +2,7 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
+/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
index 6a78de1..8db7d14 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
-files_type(lircd_etc_t)
+files_config_file(lircd_etc_t)
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t)
#
allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:unix_dgram_socket create_socket_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
@@ -44,18 +45,20 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
-dev_read_generic_usb_dev(lircd_t)
+dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right
dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
dev_rw_input_dev(lircd_t)
+dev_read_sysfs(lircd_t)
-files_read_etc_files(lircd_t)
+files_read_config_files(lircd_t)
files_list_var(lircd_t)
files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
logging_send_syslog_msg(lircd_t)
diff --git a/policy/modules/services/lldpad.fc b/policy/modules/services/lldpad.fc
new file mode 100644
index 0000000..83a4348
--- /dev/null
+++ b/policy/modules/services/lldpad.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
+
+/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
+
+/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
+
+/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0)
diff --git a/policy/modules/services/lldpad.if b/policy/modules/services/lldpad.if
new file mode 100644
index 0000000..9d1bac3
--- /dev/null
+++ b/policy/modules/services/lldpad.if
@@ -0,0 +1,198 @@
+
+## <summary>policy for lldpad</summary>
+
+########################################
+## <summary>
+## Transition to lldpad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpad_domtrans',`
+ gen_require(`
+ type lldpad_t, lldpad_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
+')
+
+
+########################################
+## <summary>
+## Execute lldpad server in the lldpad domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_initrc_domtrans',`
+ gen_require(`
+ type lldpad_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Search lldpad lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_search_lib',`
+ gen_require(`
+ type lldpad_var_lib_t;
+ ')
+
+ allow $1 lldpad_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read lldpad lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_read_lib_files',`
+ gen_require(`
+ type lldpad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage lldpad lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_manage_lib_files',`
+ gen_require(`
+ type lldpad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage lldpad lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_manage_lib_dirs',`
+ gen_require(`
+ type lldpad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read lldpad PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_read_pid_files',`
+ gen_require(`
+ type lldpad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 lldpad_var_run_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+## Send to a lldpad unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpad_dgram_send',`
+ gen_require(`
+ type lldpad_t;
+ ')
+
+ allow $1 lldpad_t:unix_dgram_socket sendto;
+ allow lldpad_t $1:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lldpad environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldpad_admin',`
+ gen_require(`
+ type lldpad_t;
+ type lldpad_initrc_exec_t;
+ type lldpad_var_lib_t;
+ type lldpad_var_run_t;
+ ')
+
+ allow $1 lldpad_t:process { ptrace signal_perms };
+ ps_process_pattern($1, lldpad_t)
+
+ lldpad_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 lldpad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, lldpad_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lldpad_var_run_t)
+
+')
+
diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
new file mode 100644
index 0000000..b7f4268
--- /dev/null
+++ b/policy/modules/services/lldpad.te
@@ -0,0 +1,72 @@
+policy_module(lldpad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpad_t;
+type lldpad_exec_t;
+init_daemon_domain(lldpad_t, lldpad_exec_t)
+
+type lldpad_initrc_exec_t;
+init_script_file(lldpad_initrc_exec_t)
+
+type lldpad_tmpfs_t;
+files_tmpfs_file(lldpad_tmpfs_t)
+
+type lldpad_var_lib_t;
+files_type(lldpad_var_lib_t)
+
+type lldpad_var_run_t;
+files_pid_file(lldpad_var_run_t)
+
+########################################
+#
+# lldpad local policy
+#
+
+allow lldpad_t self:capability { net_admin net_raw };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit lldpad_t self:capability sys_module;
+')
+
+allow lldpad_t self:shm create_shm_perms;
+allow lldpad_t self:fifo_file rw_fifo_file_perms;
+
+allow lldpad_t self:unix_stream_socket create_stream_socket_perms;
+allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
+allow lldpad_t self:packet_socket create_socket_perms;
+allow lldpad_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(lldpad_t,lldpad_tmpfs_t,lldpad_tmpfs_t)
+fs_tmpfs_filetrans(lldpad_t,lldpad_tmpfs_t,file)
+
+manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
+manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
+
+manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
+manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
+manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
+# this needs to be fixed in lldpad package
+# bug: #
+files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file })
+
+kernel_read_all_sysctls(lldpad_t)
+kernel_read_network_state(lldpad_t)
+kernel_request_load_module(lldpad_t)
+
+dev_read_sysfs(lldpad_t)
+
+files_read_etc_files(lldpad_t)
+
+logging_send_syslog_msg(lldpad_t)
+
+miscfiles_read_localization(lldpad_t)
+
+userdom_dgram_send(lldpad_t)
+
+optional_policy(`
+ fcoemon_dgram_send(lldpad_t)
+')
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index a4f32f5..ea7dca0 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`lpd_role',`
gen_require(`
@@ -27,7 +28,7 @@ interface(`lpd_role',`
dontaudit lpr_t $2:unix_stream_socket { read write };
ps_process_pattern($2, lpr_t)
- allow $2 lpr_t:process signull;
+ allow $2 lpr_t:process { ptrace signal_perms };
optional_policy(`
cups_read_config($2)
@@ -153,7 +154,7 @@ interface(`lpd_relabel_spool',`
')
files_search_spool($1)
- allow $1 print_spool_t:file { relabelto relabelfrom };
+ allow $1 print_spool_t:file relabel_file_perms;
')
########################################
@@ -186,7 +187,7 @@ interface(`lpd_read_config',`
## </summary>
## </param>
#
-template(`lpd_domtrans_lpr',`
+interface(`lpd_domtrans_lpr',`
gen_require(`
type lpr_t, lpr_exec_t;
')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 93c14ca..f28acd2 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
#
## <desc>
-## <p>
-## Use lpd server instead of cups
-## </p>
+## <p>
+## Use lpd server instead of cups
+## </p>
## </desc>
gen_tunable(use_lpd_server, false)
@@ -47,14 +47,14 @@ ubac_constrained(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
-files_type(print_spool_t)
+files_spool_file(print_spool_t)
ubac_constrained(print_spool_t)
type printer_t;
files_type(printer_t)
type printconf_t;
-files_type(printconf_t)
+files_config_file(printconf_t)
########################################
#
@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
-allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:file getattr_file_perms;
allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
@@ -113,7 +113,7 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
-userdom_use_user_terminals(checkpc_t)
+userdom_use_inherited_user_terminals(checkpc_t)
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
@@ -145,9 +145,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
-files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
@@ -277,19 +278,19 @@ miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
-userdom_use_user_terminals(lpr_t)
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
- allow lpr_t lpd_var_run_t:dir search;
- allow lpr_t lpd_var_run_t:sock_file write;
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
# Connect to lpd via a Unix domain socket.
- allow lpr_t printer_t:sock_file rw_sock_file_perms;
- allow lpr_t lpd_t:unix_stream_socket connectto;
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
+ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
@@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',`
')
tunable_policy(`use_nfs_home_dirs',`
+ files_list_home(lpr_t)
fs_list_auto_mountpoints(lpr_t)
fs_read_nfs_files(lpr_t)
fs_read_nfs_symlinks(lpr_t)
')
tunable_policy(`use_samba_home_dirs',`
+ files_list_home(lpr_t)
fs_list_auto_mountpoints(lpr_t)
fs_read_cifs_files(lpr_t)
fs_read_cifs_symlinks(lpr_t)
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index 14ad189..2b8efd8 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
@@ -1,11 +1,11 @@
-/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
-/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_var_run_t,s0)
#
# distro_debian
@@ -25,10 +25,10 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index 67c7fdd..d7338be 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -16,7 +16,7 @@
## </summary>
## </param>
#
-template(`mailman_domain_template', `
+template(`mailman_domain_template',`
type mailman_$1_t;
domain_type(mailman_$1_t)
role system_r types mailman_$1_t;
@@ -74,7 +74,7 @@ template(`mailman_domain_template', `
corecmd_exec_all_executables(mailman_$1_t)
files_exec_etc_files(mailman_$1_t)
- files_list_usr(mailman_$1_t)
+ files_read_usr_files(mailman_$1_t)
files_list_var(mailman_$1_t)
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
@@ -108,6 +108,31 @@ interface(`mailman_domtrans',`
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
')
+########################################
+## <summary>
+## Execute the mailman program in the mailman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the mailman domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mailman_run',`
+ gen_require(`
+ type mailman_mail_t;
+ ')
+
+ mailman_domtrans($1)
+ role $2 types mailman_mail_t;
+')
+
#######################################
## <summary>
## Execute mailman CGI scripts in the
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index af4d572..cea085e 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
type mailman_lock_t;
files_lock_file(mailman_lock_t)
+type mailman_var_run_t;
+files_pid_file(mailman_var_run_t)
+
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
@@ -61,14 +64,22 @@ optional_policy(`
# Mailman mail local policy
#
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-allow mailman_mail_t self:process { signal signull };
allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
+manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
+files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+
+# make NNTP gateway working
+corenet_tcp_connect_innd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
+
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
@@ -81,11 +92,16 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(mailman_mail_t)
+')
+
+optional_policy(`
cron_read_pipes(mailman_mail_t)
')
optional_policy(`
postfix_search_spool(mailman_mail_t)
+ postfix_rw_master_pipes(mailman_mail_t)
')
########################################
@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
+corenet_tcp_connect_innd_port(mailman_queue_t)
+
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
@@ -125,4 +143,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
-')
\ No newline at end of file
+')
diff --git a/policy/modules/services/mailscanner.fc b/policy/modules/services/mailscanner.fc
new file mode 100644
index 0000000..827e22e
--- /dev/null
+++ b/policy/modules/services/mailscanner.fc
@@ -0,0 +1,11 @@
+/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0)
+
+/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
+
+/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0)
+
+/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
+
+/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
+
+/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if
new file mode 100644
index 0000000..39c12cb
--- /dev/null
+++ b/policy/modules/services/mailscanner.if
@@ -0,0 +1,58 @@
+## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## MailScanner.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mailscanner_initrc_domtrans',`
+ gen_require(`
+ type mscan_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mailscanner environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mailscanner_admin',`
+ gen_require(`
+ type mscan_t, mscan_var_run_t, mscan_etc_t;
+ type mscan_initrc_exec_t;
+ ')
+
+ mailscanner_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 mscan_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ allow $1 mscan_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mscan_t)
+
+ admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, mscan_var_run_t)
+ files_list_pids($1)
+')
diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
new file mode 100644
index 0000000..5b84980
--- /dev/null
+++ b/policy/modules/services/mailscanner.te
@@ -0,0 +1,87 @@
+policy_module(mailscanner, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mscan_t;
+type mscan_exec_t;
+init_daemon_domain(mscan_t, mscan_exec_t)
+
+type mscan_initrc_exec_t;
+init_script_file(mscan_initrc_exec_t)
+
+type mscan_etc_t;
+files_config_file(mscan_etc_t)
+
+type mscan_tmp_t;
+files_tmp_file(mscan_tmp_t)
+
+type mscan_var_run_t;
+files_pid_file(mscan_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:process signal;
+allow mscan_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+
+manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
+files_pid_filetrans(mscan_t, mscan_var_run_t, file)
+
+manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
+manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
+files_tmp_filetrans(mscan_t, mscan_tmp_t, dir)
+
+can_exec(mscan_t, mscan_exec_t)
+
+kernel_read_system_state(mscan_t)
+
+corecmd_exec_bin(mscan_t)
+corecmd_exec_shell(mscan_t)
+
+corenet_tcp_connect_fprot_port(mscan_t)
+corenet_tcp_sendrecv_fprot_port(mscan_t)
+corenet_sendrecv_fprot_client_packets(mscan_t)
+corenet_udp_bind_generic_node(mscan_t)
+corenet_udp_bind_generic_port(mscan_t)
+corenet_udp_sendrecv_all_ports(mscan_t)
+corenet_sendrecv_generic_server_packets(mscan_t)
+
+dev_read_urand(mscan_t)
+
+files_read_usr_files(mscan_t)
+
+fs_getattr_xattr_fs(mscan_t)
+
+auth_dontaudit_read_shadow(mscan_t)
+auth_use_nsswitch(mscan_t)
+
+logging_send_syslog_msg(mscan_t)
+
+miscfiles_read_localization(mscan_t)
+
+optional_policy(`
+ clamav_domtrans_clamscan(mscan_t)
+ clamav_manage_clamd_pid(mscan_t)
+')
+
+optional_policy(`
+ mta_send_mail(mscan_t)
+ mta_manage_queue(mscan_t)
+')
+
+optional_policy(`
+ procmail_domtrans(mscan_t)
+')
+
+optional_policy(`
+ spamassassin_read_home_client(mscan_t)
+ spamassassin_read_lib_files(mscan_t)
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
index 0000000..c502d10
--- /dev/null
+++ b/policy/modules/services/matahari.fc
@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+
+/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+
+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+
+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
+/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
index 0000000..0432f2e
--- /dev/null
+++ b/policy/modules/services/matahari.if
@@ -0,0 +1,247 @@
+## <summary>policy for matahari</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## matahari init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`matahari_domain_template',`
+ gen_require(`
+ attribute matahari_domain;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type matahari_$1_t, matahari_domain;
+ type matahari_$1_exec_t;
+ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
+
+')
+
+########################################
+## <summary>
+## Search matahari lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_search_lib',`
+ gen_require(`
+ type matahari_var_lib_t;
+ ')
+
+ allow $1 matahari_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read matahari lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_read_lib_files',`
+ gen_require(`
+ type matahari_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## matahari lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_manage_lib_files',`
+ gen_require(`
+ type matahari_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage matahari lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_manage_lib_dirs',`
+ gen_require(`
+ type matahari_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read matahari PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_read_pid_files',`
+ gen_require(`
+ type matahari_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 matahari_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read matahari PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_manage_pid_files',`
+ gen_require(`
+ type matahari_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, matahari_var_run_t, matahari_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run matahari_hostd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_hostd_domtrans',`
+ gen_require(`
+ type matahari_hostd_t, matahari_hostd_exec_t;
+ ')
+
+ domtrans_pattern($1, matahari_hostd_exec_t, matahari_hostd_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run matahari_netd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_netd_domtrans',`
+ gen_require(`
+ type matahari_netd_t, matahari_netd_exec_t;
+ ')
+
+ domtrans_pattern($1, matahari_netd_exec_t, matahari_netd_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run matahari_serviced.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`matahari_serviced_domtrans',`
+ gen_require(`
+ type matahari_serviced_t, matahari_serviced_exec_t;
+ ')
+
+ domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an matahari environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`matahari_admin',`
+ gen_require(`
+ type matahari_initrc_exec_t;
+ type matahari_hostd_t;
+ type matahari_netd_t;
+ type matahari_serviced_t;
+ type matahari_var_lib_t;
+ type matahari_var_run_t;
+ ')
+
+ init_labeled_script_domtrans($1, matahari_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 matahari_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ allow $1 matahari_netd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, matahari_netd_t)
+
+ allow $1 matahari_hostd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, matahari_hostd_t)
+
+ allow $1 matahari_serviced_t:process { ptrace signal_perms };
+ ps_process_pattern($1, matahari_serviced_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, matahari_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, matahari_var_run_t)
+
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
index 0000000..19d82c3
--- /dev/null
+++ b/policy/modules/services/matahari.te
@@ -0,0 +1,83 @@
+policy_module(matahari,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute matahari_domain;
+
+matahari_domain_template(hostd)
+matahari_domain_template(netd)
+matahari_domain_template(serviced)
+
+type matahari_initrc_exec_t;
+init_script_file(matahari_initrc_exec_t)
+
+type matahari_var_lib_t;
+files_type(matahari_var_lib_t)
+
+type matahari_var_run_t;
+files_pid_file(matahari_var_run_t)
+
+########################################
+#
+# matahari_hostd local policy
+#
+
+allow matahari_hostd_t self:capability sys_ptrace;
+
+kernel_read_network_state(matahari_hostd_t)
+
+dev_read_sysfs(matahari_hostd_t)
+dev_rw_mtrr(matahari_hostd_t)
+
+domain_use_interactive_fds(matahari_hostd_t)
+domain_read_all_domains_state(matahari_hostd_t)
+
+optional_policy(`
+ dbus_system_bus_client(matahari_hostd_t)
+')
+
+########################################
+#
+# matahari_netd local policy
+#
+
+domain_use_interactive_fds(matahari_netd_t)
+
+optional_policy(`
+ dbus_system_bus_client(matahari_netd_t)
+')
+
+########################################
+#
+# matahari_serviced local policy
+#
+
+domain_use_interactive_fds(matahari_serviced_t)
+init_spec_domtrans_script(matahari_serviced_t)
+
+#######################################
+#
+# matahari domain local policy
+#
+
+allow matahari_domain self:process { signal };
+
+allow matahari_domain self:fifo_file rw_fifo_file_perms;
+allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(matahari_domain)
+
+corenet_tcp_connect_matahari_port(matahari_domain)
+
+dev_read_urand(matahari_domain)
+
+files_read_etc_files(matahari_domain)
+
+logging_send_syslog_msg(matahari_domain)
+
+miscfiles_read_localization(matahari_domain)
+
+sysnet_dns_name_resolve(matahari_domain)
diff --git a/policy/modules/services/mediawiki.if b/policy/modules/services/mediawiki.if
index 98d28b4..1c1d012 100644
--- a/policy/modules/services/mediawiki.if
+++ b/policy/modules/services/mediawiki.if
@@ -1 +1,40 @@
## <summary>Mediawiki policy</summary>
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## mediawiki tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mediawiki_read_tmp_files',`
+ gen_require(`
+ type httpd_mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
+
+#######################################
+## <summary>
+## Delete mediawiki tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
+ type httpd_mediawiki_tmp_t;
+ ')
+
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6f..5008a6c 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -5,15 +5,14 @@
## Execute a domain transition to run memcached.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`memcached_domtrans',`
gen_require(`
- type memcached_t;
- type memcached_exec_t;
+ type memcached_t, memcached_exec_t;
')
domtrans_pattern($1, memcached_exec_t, memcached_t)
@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',`
#
interface(`memcached_admin',`
gen_require(`
- type memcached_t;
- type memcached_initrc_exec_t;
+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
allow $1 memcached_t:process { ptrace signal_perms };
@@ -69,5 +67,6 @@ interface(`memcached_admin',`
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te
index b681608..08b1b49 100644
--- a/policy/modules/services/memcached.te
+++ b/policy/modules/services/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# memcached local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setuid setgid sys_resource };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f..bc489e0 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,10 +1,15 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index ed1af3c..40b5f0e 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -24,7 +24,7 @@ template(`milter_template',`
# Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
- files_type($1_milter_data_t)
+ files_pid_file($1_milter_data_t)
allow $1_milter_t self:fifo_file rw_fifo_file_perms;
@@ -37,6 +37,8 @@ template(`milter_template',`
files_read_etc_files($1_milter_t)
+ kernel_dontaudit_read_system_state($1_milter_t)
+
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
@@ -57,7 +59,7 @@ interface(`milter_stream_connect_all',`
attribute milter_data_type, milter_domains;
')
- getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ files_search_pids($1)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
@@ -76,12 +78,29 @@ interface(`milter_getattr_all_sockets',`
attribute milter_data_type;
')
- getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
########################################
## <summary>
+## Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_setattr_all_dirs',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
## Manage spamassassin milter state
## </summary>
## <param name="domain">
@@ -100,3 +119,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+#######################################
+## <summary>
+## Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+ gen_require(`
+ type dkim_milter_data_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 47e3612..ece07ab 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.3.0)
attribute milter_domains;
attribute milter_data_type;
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
@@ -20,11 +27,28 @@ milter_template(spamass)
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
+
########################################
#
# milter-greylist local policy
-# ensure smtp clients retry mail like real MTAs and not spamware
-# http://hcpnet.free.fr/milter-greylist/
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
#
# It removes any existing socket (not owned by root) whilst running as root,
@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
# It creates a pid file /var/run/milter-greylist.pid
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
kernel_read_kernel_sysctls(greylist_milter_t)
+corecmd_exec_bin(greylist_milter_t)
+corecmd_exec_shell(greylist_milter_t)
+
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+
# Allow the milter to read a GeoIP database in /usr/share
files_read_usr_files(greylist_milter_t)
# The milter runs from /var/lib/milter-greylist and maintains files there
@@ -52,8 +84,8 @@ mta_read_config(greylist_milter_t)
########################################
#
# milter-regex local policy
-# filter emails using regular expressions
-# http://www.benzedrine.cx/milter-regex.html
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
#
# It removes any existing socket (not owned by root) whilst running as root
@@ -72,8 +104,8 @@ mta_read_config(regex_milter_t)
########################################
#
# spamass-milter local policy
-# pipe emails through SpamAssassin
-# http://savannah.nongnu.org/projects/spamass-milt/
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
#
# The milter runs from /var/lib/spamass-milter
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
index 0000000..8d0e473
--- /dev/null
+++ b/policy/modules/services/mock.fc
@@ -0,0 +1,5 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
index 0000000..0615cc5
--- /dev/null
+++ b/policy/modules/services/mock.if
@@ -0,0 +1,306 @@
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mock_domtrans',`
+ gen_require(`
+ type mock_t, mock_exec_t;
+ ')
+
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+########################################
+## <summary>
+## Search mock lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_search_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Getattr on mock lib file,dir,sock_file ...
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_getattr_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+## <summary>
+## Manage mock lib symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_symlinks',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_dontaudit_write_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ dontaudit $1 mock_var_lib_t:chr_file write;
+')
+
+#######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mock_dontaudit_leaks',`
+ gen_require(`
+ type mock_tmp_t;
+ ')
+
+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Execute mock in the mock domain, and
+## allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mock domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
+ type mock_build_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
+ role $2 types mock_build_t;
+
+ optional_policy(`
+ mount_run(mock_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for mock
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_role',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ role $1 types mock_t;
+
+ mock_run($2, $1)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process { ptrace signal_perms };
+')
+
+#######################################
+## <summary>
+## Send a generic signal to mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_signal',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ allow $1 mock_t:process signal;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mock environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t, mock_var_lib_t;
+ type mock_build_t, mock_etc_t, mock_tmp_t;
+ ')
+
+ allow $1 mock_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mock_t)
+
+ allow $1 mock_build_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mock_build_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, mock_tmp_t)
+
+ files_search_etc($1)
+ admin_pattern($1, mock_etc_t)
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
index 0000000..b7e5bcc
--- /dev/null
+++ b/policy/modules/services/mock.te
@@ -0,0 +1,250 @@
+policy_module(mock,1.0.0)
+
+## <desc>
+## <p>
+## Allow mock to read files in home directories.
+## </p>
+## </desc>
+gen_tunable(mock_enable_homedirs, false)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+type mock_build_t;
+type mock_build_exec_t;
+application_domain(mock_build_t, mock_build_exec_t)
+role system_r types mock_build_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+type mock_etc_t;
+files_config_file(mock_etc_t)
+
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+allow mock_t mock_var_lib_t:dir mounton;
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_read_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_etc_runtime_files(mock_t)
+files_read_usr_files(mock_t)
+files_dontaudit_list_boot(mock_t)
+
+fs_getattr_all_fs(mock_t)
+fs_search_all(mock_t)
+fs_manage_cgroup_dirs(mock_t)
+files_list_isid_type_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+init_dontaudit_stream_connect(mock_t)
+
+libs_exec_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+miscfiles_read_localization(mock_t)
+
+userdom_use_user_ptys(mock_t)
+
+files_search_home(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_manage_user_home_content_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
+ rpc_search_nfs_state_data(mock_t)
+ fs_list_auto_mountpoints(mock_t)
+ fs_manage_nfs_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mock_t)
+ fs_read_cifs_files(mock_t)
+ fs_manage_cifs_files(mock_t)
+')
+
+optional_policy(`
+ abrt_read_spool_retrace(mock_t)
+ abrt_read_cache_retrace(mock_t)
+ abrt_stream_connect(mock_t)
+')
+
+optional_policy(`
+ rpm_exec(mock_t)
+')
+
+optional_policy(`
+ mount_domtrans(mock_t)
+')
+
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
+
+########################################
+#
+# mock_build local policy
+#
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+# Needed because mock can run java and mono withing build environment
+allow mock_build_t self:process { execmem execstack };
+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
+allow mock_build_t self:fifo_file manage_fifo_file_perms;
+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_build_t self:unix_dgram_socket create_socket_perms;
+allow mock_build_t self:dir list_dir_perms;
+allow mock_build_t self:dir read_file_perms;
+
+ps_process_pattern(mock_t, mock_build_t)
+allow mock_t mock_build_t:process signal_perms;
+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_tmp_t)
+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_var_lib_t)
+
+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
+can_exec(mock_build_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
+can_exec(mock_build_t, mock_var_lib_t)
+allow mock_build_t mock_var_lib_t:dir mounton;
+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
+
+kernel_list_proc(mock_build_t)
+kernel_read_irq_sysctls(mock_build_t)
+kernel_read_system_state(mock_build_t)
+kernel_read_network_state(mock_build_t)
+kernel_read_kernel_sysctls(mock_build_t)
+kernel_request_load_module(mock_build_t)
+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
+
+corecmd_exec_bin(mock_build_t)
+corecmd_exec_shell(mock_build_t)
+corecmd_dontaudit_exec_all_executables(mock_build_t)
+
+dev_getattr_all_chr_files(mock_build_t)
+dev_dontaudit_list_all_dev_nodes(mock_build_t)
+dev_dontaudit_getattr_all(mock_build_t)
+fs_getattr_all_dirs(mock_build_t)
+dev_read_sysfs(mock_build_t)
+
+domain_dontaudit_read_all_domains_state(mock_build_t)
+domain_use_interactive_fds(mock_build_t)
+
+files_read_etc_files(mock_build_t)
+files_read_usr_files(mock_build_t)
+files_dontaudit_list_boot(mock_build_t)
+
+fs_getattr_all_fs(mock_build_t)
+fs_manage_cgroup_dirs(mock_build_t)
+
+selinux_get_enforce_mode(mock_build_t)
+
+auth_use_nsswitch(mock_build_t)
+
+init_exec(mock_build_t)
+init_dontaudit_stream_connect(mock_build_t)
+
+libs_exec_ldconfig(mock_build_t)
+
+miscfiles_read_localization(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if
index 3368699..7a7fc02 100644
--- a/policy/modules/services/modemmanager.if
+++ b/policy/modules/services/modemmanager.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run modemmanager.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index b3ace16..6c9f30c 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
# ModemManager local policy
#
-allow modemmanager_t self:process signal;
+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+allow modemmanager_t self:process { getsched signal };
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -28,13 +29,25 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
-term_use_unallocated_ttys(modemmanager_t)
+term_use_generic_ptys(modemmanager_t)
+term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
+term_use_usb_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
logging_send_syslog_msg(modemmanager_t)
-networkmanager_dbus_chat(modemmanager_t)
+optional_policy(`
+ networkmanager_dbus_chat(modemmanager_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_power(modemmanager_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(modemmanager_t)
+')
optional_policy(`
udev_read_db(modemmanager_t)
diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if
index 657a9fc..88e7330 100644
--- a/policy/modules/services/mojomojo.if
+++ b/policy/modules/services/mojomojo.if
@@ -19,18 +19,20 @@
#
interface(`mojomojo_admin',`
gen_require(`
- type httpd_mojomojo_script_t;
- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
- type httpd_mojomojo_rw_content_t;
- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
+ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
+ type httpd_mojomojo_script_exec_t;
')
allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_mojomojo_script_t)
- files_search_var_lib(httpd_mojomojo_script_t)
+ files_list_tmp($1)
+ admin_pattern($1, httpd_mojomojo_tmp_t)
- apache_search_sys_content($1)
+ files_list_var_lib(httpd_mojomojo_script_t)
+
+ apache_list_sys_content($1)
admin_pattern($1, httpd_mojomojo_script_exec_t)
admin_pattern($1, httpd_mojomojo_script_t)
admin_pattern($1, httpd_mojomojo_content_t)
diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
index 83f002c..ed69996 100644
--- a/policy/modules/services/mojomojo.te
+++ b/policy/modules/services/mojomojo.te
@@ -7,6 +7,9 @@ policy_module(mojomojo, 1.0.0)
apache_content_template(mojomojo)
+type httpd_mojomojo_tmp_t;
+files_tmp_file(httpd_mojomojo_tmp_t)
+
########################################
#
# mojomojo local policy
@@ -14,6 +17,10 @@ apache_content_template(mojomojo)
allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
+
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 7f68872..e4ac35e 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow mpd_t self:tcp_socket create_stream_socket_perms;
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
@@ -103,6 +106,19 @@ logging_send_syslog_msg(mpd_t)
miscfiles_read_localization(mpd_t)
+userdom_read_home_audio_files(mpd_t)
+userdom_read_user_tmpfs_files(mpd_t)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(mpd_t)
+ fs_read_cifs_symlinks(mpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(mpd_t)
+ fs_read_nfs_symlinks(mpd_t)
+')
+
optional_policy(`
alsa_read_rw_config(mpd_t)
')
@@ -122,5 +138,14 @@ optional_policy(`
')
optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
+optional_policy(`
udev_read_db(mpd_t)
')
+
+optional_policy(`
+ xserver_dontaudit_stream_connect(mpd_t)
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a..6321a93 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -11,20 +12,24 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 343cee3..f6c92f9 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
## is the prefix for user_t).
## </summary>
## </param>
+## <rolecap/>
#
template(`mta_base_mail_template',`
-
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
@@ -104,6 +104,7 @@ template(`mta_base_mail_template',`
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
+ postfix_rw_master_pipes($1_mail_t)
')
optional_policy(`
@@ -158,6 +159,7 @@ template(`mta_base_mail_template',`
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`mta_role',`
gen_require(`
@@ -169,11 +171,19 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
- allow $2 sendmail_exec_t:lnk_file { getattr read };
+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
allow mta_user_agent $2:fifo_file { read write };
+
+ optional_policy(`
+ exim_run($2, $1)
+ ')
+
+ optional_policy(`
+ mailman_run(mta_user_agent, $1)
+ ')
')
########################################
@@ -220,6 +230,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
+######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_leaks_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
+')
+
########################################
## <summary>
## Make the specified type by a system MTA.
@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
- type mail_spool_t;
')
typeattribute $1 mailserver_delivery;
@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
-
- optional_policy(`
- # apache should set close-on-exec
- apache_dontaudit_rw_stream_sockets($1)
- apache_dontaudit_rw_sys_script_stream_sockets($1)
- ')
')
########################################
@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
- attribute mta_user_agent;
+ attribute mta_user_agent, mta_exec_type;
type system_mail_t;
- attribute mta_exec_type;
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
@@ -391,12 +412,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
- type sendmail_exec_t;
+ attribute mta_exec_type;
+ attribute mta_user_agent;
')
files_search_usr($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
corecmd_read_bin_symlinks($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
+ allow mta_user_agent $1:fifo_file { read write };
')
########################################
@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
-#
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
+## Send system mail client a kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_kill_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process sigkill;
+')
+
+########################################
+## <summary>
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
+## Check whether sendmail executable
+## files are executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_access_check',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+## <summary>
## Read mail server configuration.
## </summary>
## <param name="domain">
@@ -474,7 +537,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr_file_perms;
')
########################################
@@ -494,6 +558,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
- files_etc_filetrans($1, etc_aliases_t, file)
+ files_etc_filetrans($1, etc_aliases_t, file, $2)
')
########################################
@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
- allow $1 etc_aliases_t:file { rw_file_perms setattr };
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
')
#######################################
@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
- dontaudit $1 mail_spool_t:lnk_file read;
- dontaudit $1 mail_spool_t:file getattr;
+ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 mail_spool_t:file getattr_file_perms;
')
#######################################
@@ -697,8 +762,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file setattr;
- rw_files_pattern($1, mail_spool_t, mail_spool_t)
+ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
- dontaudit $1 mqueue_spool_t:file { getattr read write };
+ dontaudit $1 mqueue_spool_t:file rw_file_perms;
')
########################################
@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Type transition files created in calling dir
+## to the mail address aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Directory to transition on.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+## <summary>
+## ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
+
+########################################
+## <summary>
+## create mail content in the in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_admin_home_content',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+')
+
+########################################
+## <summary>
+## Transition to mta named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_home_content',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+')
+
+########################################
+## <summary>
+## Transition to apache named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_named_content',`
+ gen_require(`
+ type etc_aliases_t;
+ type etc_mail_t;
+ ')
+
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 64268e4..142fbfb 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
type etc_mail_t;
files_config_file(etc_mail_t)
-type mail_forward_t;
-files_type(mail_forward_t)
+type mail_home_t alias mail_forward_t;
+userdom_user_home_content(mail_home_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
+files_spool_file(mqueue_spool_t)
type mail_spool_t;
files_mountpoint(mail_spool_t)
+files_spool_file(mail_spool_t)
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-allow system_mail_t mail_forward_t:file read_file_perms;
-
-allow system_mail_t mta_exec_type:file entrypoint;
-
-can_exec(system_mail_t, mta_exec_type)
-
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-kernel_request_load_module(system_mail_t)
-
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
@@ -79,9 +70,16 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
-userdom_use_user_terminals(system_mail_t)
+userdom_use_inherited_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+logging_append_all_logs(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
@@ -92,14 +90,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tmp_files(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+ apache_append_log(mta_user_agent)
')
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
+')
- ifdef(`hide_broken_symptoms', `
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
+optional_policy(`
+ bugzilla_search_content(system_mail_t)
+ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -111,6 +116,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_inherited_spool_files(system_mail_t)
+ cron_rw_inherited_user_spool_files(system_mail_t)
')
optional_policy(`
@@ -124,12 +131,9 @@ optional_policy(`
')
optional_policy(`
- exim_domtrans(system_mail_t)
- exim_manage_log(system_mail_t)
-')
-
-optional_policy(`
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
+ fail2ban_rw_inherited_tmp_files(system_mail_t)
')
optional_policy(`
@@ -146,6 +150,10 @@ optional_policy(`
')
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+')
+
+optional_policy(`
nagios_read_tmp_files(system_mail_t)
')
@@ -158,22 +166,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
-
- # postfix needs this for newaliases
- files_getattr_tmp_dirs(system_mail_t)
-
- postfix_exec_master(system_mail_t)
- postfix_read_config(system_mail_t)
- postfix_search_spool(system_mail_t)
-
- ifdef(`distro_redhat',`
- # compatability for old default main.cf
- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
- ')
')
optional_policy(`
qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
+ qmail_rw_spool_pipes(system_mail_t)
')
optional_policy(`
@@ -189,9 +188,17 @@ optional_policy(`
')
optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
+optional_policy(`
+ abrt_rw_fifo_file(mta_user_agent)
+')
+
# should break this up among sections:
optional_policy(`
@@ -199,15 +206,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms', `
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(user_mail_domain)
+ domain_dontaudit_leaks(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
@@ -242,6 +251,10 @@ optional_policy(`
')
optional_policy(`
+ logwatch_search_cache_dir(mailserver_delivery)
+')
+
+optional_policy(`
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
@@ -249,16 +262,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
+optional_policy(`
+ postfix_rw_master_pipes(mailserver_delivery)
+')
+
+optional_policy(`
+ uucp_domtrans_uux(mailserver_delivery)
+')
+
########################################
#
# User send mail local policy
#
+
domain_use_interactive_fds(user_mail_t)
-userdom_use_user_terminals(user_mail_t)
+userdom_use_inherited_user_terminals(user_mail_t)
# Write to the user domain tty. cjp: why?
-userdom_use_user_terminals(mta_user_agent)
+userdom_use_inherited_user_terminals(mta_user_agent)
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
@@ -292,3 +314,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
+
+########################################
+#
+# Comman user_mail_domain policy
+#
+
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
+
+allow system_mail_t user_mail_domain:file read_file_perms;
+
+read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
+
+kernel_read_system_state(user_mail_domain)
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
+optional_policy(`
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(user_mail_domain)
+
+ postfix_exec_master(user_mail_domain)
+ postfix_read_config(user_mail_domain)
+ postfix_search_spool(user_mail_domain)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+optional_policy(`
+ exim_domtrans(user_mail_domain)
+ exim_manage_log(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index fd71d69..bf90863 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -51,6 +51,7 @@
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -63,6 +64,7 @@
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index c358d8f..fec6a97 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -13,10 +13,11 @@
#
template(`munin_plugin_template',`
gen_require(`
- type munin_t, munin_exec_t, munin_etc_t;
+ type munin_t;
+ attribute munin_plugin_domain;
')
- type $1_munin_plugin_t;
+ type $1_munin_plugin_t, munin_plugin_domain;
type $1_munin_plugin_exec_t;
typealias $1_munin_plugin_t alias munin_$1_plugin_t;
typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
@@ -36,17 +37,7 @@ template(`munin_plugin_template',`
# automatic transition rules from munin domain
# to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
-
- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
-
- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
-
- kernel_read_system_state($1_munin_plugin_t)
-
- corecmd_exec_bin($1_munin_plugin_t)
-
- miscfiles_read_localization($1_munin_plugin_t)
+ allow munin_t $1_munin_plugin_t:process signal_perms;
')
########################################
@@ -65,9 +56,8 @@ interface(`munin_stream_connect',`
type munin_var_run_t, munin_t;
')
- allow $1 munin_t:unix_stream_socket connectto;
- allow $1 munin_var_run_t:sock_file { getattr write };
files_search_pids($1)
+ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
')
#######################################
@@ -88,10 +78,28 @@ interface(`munin_read_config',`
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
- allow $1 munin_etc_t:lnk_file { getattr read };
+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
files_search_etc($1)
')
+######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_leaks',`
+ gen_require(`
+ type munin_t;
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
+')
+
#######################################
## <summary>
## Append to the munin log.
@@ -172,8 +180,7 @@ interface(`munin_admin',`
gen_require(`
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
- type httpd_munin_content_t;
- type munin_initrc_exec_t;
+ type httpd_munin_content_t, munin_initrc_exec_t;
')
allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index f17583b..6b17513 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
# Declarations
#
+attribute munin_plugin_domain;
+
type munin_t alias lrrd_t;
type munin_exec_t alias lrrd_exec_t;
init_daemon_domain(munin_t, munin_exec_t)
@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
type munin_var_lib_t alias lrrd_var_lib_t;
files_type(munin_var_lib_t)
+type munin_plugin_state_t;
+files_type(munin_plugin_state_t)
+
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -40,7 +45,7 @@ munin_plugin_template(system)
# Local policy
#
-allow munin_t self:capability { chown dac_override setgid setuid };
+allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -71,9 +76,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
files_search_var_lib(munin_t)
+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-files_pid_filetrans(munin_t, munin_var_run_t, file)
+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
+
+read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
+miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
@@ -145,6 +154,7 @@ optional_policy(`
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
+ mta_list_queue(munin_t)
mta_read_queue(munin_t)
')
@@ -159,6 +169,7 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
+ postfix_getattr_spool_files(munin_t)
')
optional_policy(`
@@ -182,6 +193,7 @@ optional_policy(`
# local policy for disk plugins
#
+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -190,15 +202,13 @@ corecmd_exec_shell(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
-files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
-fs_getattr_all_fs(disk_munin_plugin_t)
-
+dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
-files_read_etc_files(mail_munin_plugin_t)
-
-fs_getattr_all_fs(mail_munin_plugin_t)
-
logging_read_generic_logs(mail_munin_plugin_t)
mta_read_config(mail_munin_plugin_t)
mta_send_mail(mail_munin_plugin_t)
+mta_list_queue(mail_munin_plugin_t)
mta_read_queue(mail_munin_plugin_t)
optional_policy(`
postfix_read_config(mail_munin_plugin_t)
postfix_list_spool(mail_munin_plugin_t)
+ postfix_getattr_spool_files(mail_munin_plugin_t)
')
optional_policy(`
@@ -245,6 +253,7 @@ optional_policy(`
# local policy for service plugins
#
+allow services_munin_plugin_t self:sem create_sem_perms;
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -255,13 +264,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
-fs_getattr_all_fs(services_munin_plugin_t)
-
-files_read_etc_files(services_munin_plugin_t)
-
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
+ cups_read_config(services_munin_plugin_t)
cups_stream_connect(services_munin_plugin_t)
')
@@ -286,6 +292,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
+optional_policy(`
+ varnishd_read_lib_files(services_munin_plugin_t)
+')
+
##################################
#
# local policy for system plugins
@@ -295,13 +305,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+# needed by munin_* plugins
+allow system_munin_plugin_t munin_log_t:file read_file_perms;
+
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
-corecmd_exec_shell(system_munin_plugin_t)
-
-fs_getattr_all_fs(system_munin_plugin_t)
-
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -313,3 +322,31 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t)
+
+################################
+#
+# local policy for munin plugin domains
+#
+
+allow munin_plugin_domain munin_exec_t:file read_file_perms;
+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
+
+# creates plugin state files
+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
+
+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+
+kernel_read_system_state(munin_plugin_domain)
+
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
+files_search_var_lib(munin_plugin_domain)
+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
+fs_getattr_all_fs(munin_plugin_domain)
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index e9c0982..14af30a 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
+######################################
+## <summary>
+## Execute MySQL in the coller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_exec',`
+ gen_require(`
+ type mysqld_exec_t;
+ ')
+
+ can_exec($1, mysqld_exec_t)
+')
+
########################################
## <summary>
## Send a generic signal to MySQL.
@@ -36,6 +54,24 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal;
')
+#######################################
+## <summary>
+## Send a null signal to mysql.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_signull',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signull;
+')
+
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket.
@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
+ files_search_pids($1)
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
- allow $1 mysqld_log_t:file { write_file_perms setattr };
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')
######################################
## <summary>
-## Execute MySQL server in the mysql domain.
+## Execute MySQL safe script in the mysql safe domain.
## </summary>
## <param name="domain">
## <summary>
@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
+######################################
+## <summary>
+## Execute MySQL_safe in the coller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_safe_exec',`
+ gen_require(`
+ type mysqld_safe_exec_t;
+ ')
+
+ can_exec($1, mysqld_safe_exec_t)
+')
+
#####################################
## <summary>
## Read MySQL PID files.
@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
- type mysqld_t, mysqld_var_run_t;
- type mysqld_tmp_t, mysqld_db_t;
- type mysqld_etc_t, mysqld_log_t;
- type mysqld_initrc_exec_t;
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+ type mysqld_etc_t;
')
allow $1 mysqld_t:process { ptrace signal_perms };
@@ -343,13 +397,19 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_pids($1)
admin_pattern($1, mysqld_var_run_t)
admin_pattern($1, mysqld_db_t)
+ files_list_etc($1)
admin_pattern($1, mysqld_etc_t)
+ logging_list_logs($1)
admin_pattern($1, mysqld_log_t)
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
+
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 0a0d63c..91de41a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
#
## <desc>
-## <p>
-## Allow mysqld to connect to all ports
-## </p>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
## </desc>
gen_tunable(mysql_connect_any, false)
@@ -64,11 +64,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
allow mysqld_t mysqld_etc_t:file read_file_perms;
-allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
+
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
userdom_read_user_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
- # because Fedora has the sock_file in the database directory
- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
')
tunable_policy(`mysql_connect_any',`
@@ -155,6 +159,7 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
+allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-hostname_exec(mysqld_safe_t)
+logging_send_syslog_msg(mysqld_safe_t)
miscfiles_read_localization(mysqld_safe_t)
mysql_manage_db_files(mysqld_safe_t)
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
+mysql_signull(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
+optional_policy(`
+ hostname_exec(mysqld_safe_t)
+')
+
########################################
#
# MySQL Manager Policy
diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc
index 1fc9905..1d05c60 100644
--- a/policy/modules/services/nagios.fc
+++ b/policy/modules/services/nagios.fc
@@ -6,8 +6,8 @@
/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
@@ -19,70 +19,72 @@
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
')
-/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
# admin plugins
-/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
# check disk plugins
-/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
# mail plugins
-/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
# services plugins
-/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
# unconfined plugins
-/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 8581040..2367841 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
## </param>
#
template(`nagios_plugin_template',`
-
gen_require(`
- type nagios_t, nrpe_t;
- type nagios_log_t;
+ type nagios_t, nrpe_t, nagios_log_t;
')
type nagios_$1_plugin_t;
@@ -26,9 +24,11 @@ template(`nagios_plugin_template',`
allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+ allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
allow nagios_t nagios_$1_plugin_t:process signal_perms;
@@ -36,6 +36,12 @@ template(`nagios_plugin_template',`
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+ # FIXME
+ # Probably add nagios_plugin_domain attribute
+ kernel_read_system_state(nagios_$1_plugin_t)
+
+ files_read_usr_files(nagios_$1_plugin_t)
+
miscfiles_read_localization(nagios_$1_plugin_t)
')
@@ -49,7 +55,6 @@ template(`nagios_plugin_template',`
## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
@@ -159,6 +164,26 @@ interface(`nagios_read_tmp_files',`
########################################
## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_rw_inerited_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
## Execute the nagios NRPE with
## a domain transition.
## </summary>
@@ -195,11 +220,9 @@ interface(`nagios_domtrans_nrpe',`
#
interface(`nagios_admin',`
gen_require(`
- type nagios_t, nrpe_t;
- type nagios_tmp_t, nagios_log_t;
- type nagios_etc_t, nrpe_etc_t;
- type nagios_spool_t, nagios_var_run_t;
- type nagios_initrc_exec_t;
+ type nagios_t, nrpe_t, nagios_initrc_exec_t;
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index bf64a4c..1147e19 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -25,7 +25,10 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
+
+type nagios_var_lib_t;
+files_type(nagios_var_lib_t)
nagios_plugin_template(admin)
nagios_plugin_template(checkdisk)
@@ -77,8 +80,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir })
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
+kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -107,13 +115,11 @@ files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
files_search_spool(nagios_t)
+files_read_usr_files(nagios_t)
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
-# for who
-init_read_utmp(nagios_t)
-
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -124,10 +130,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
+mta_signal_system_mail(nagios_t)
+mta_kill_system_mail(nagios_t)
optional_policy(`
- netutils_domtrans_ping(nagios_t)
- netutils_signal_ping(nagios_t)
netutils_kill_ping(nagios_t)
')
@@ -143,6 +149,7 @@ optional_policy(`
#
# Nagios CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -180,11 +187,13 @@ optional_policy(`
#
allow nrpe_t self:capability { setuid setgid };
-dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
+dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket create_stream_socket_perms;
+read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t)
+
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
@@ -201,7 +210,8 @@ corecmd_exec_shell(nrpe_t)
corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
-corenet_sendrecv_unlabeled_packets(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
@@ -211,6 +221,7 @@ domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
files_read_etc_files(nrpe_t)
+files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
@@ -270,12 +281,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
-kernel_read_system_state(nagios_mail_plugin_t)
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
@@ -299,7 +308,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
- posftix_exec_postqueue(nagios_mail_plugin_t)
+ postfix_exec_postqueue(nagios_mail_plugin_t)
')
######################################
@@ -310,6 +319,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
@@ -323,7 +335,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
@@ -340,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
+ netutils_signal_ping(nagios_services_plugin_t)
+ netutils_kill_ping(nagios_services_plugin_t)
')
optional_policy(`
@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
-kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
index 74da57f..b94bb3b 100644
--- a/policy/modules/services/nessus.fc
+++ b/policy/modules/services/nessus.fc
@@ -1,7 +1,7 @@
/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0)
-/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 386543b..47e1b41 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -1,6 +1,15 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
+/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -16,7 +25,8 @@
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 2324d9e..ac2e779 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
## Allow caller to relabel tun_socket
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`networkmanager_attach_tun_iface',`
@@ -116,6 +116,30 @@ interface(`networkmanager_initrc_domtrans',`
########################################
## <summary>
+## Execute NetworkManager server in the NetworkManager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_systemctl',`
+ gen_require(`
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
+')
+
+########################################
+## <summary>
## Send and receive messages from
## NetworkManager over dbus.
## </summary>
@@ -137,6 +161,28 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
@@ -191,3 +237,77 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to Network Manager log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_append_log',`
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
+
+########################################
+## <summary>
+## Transition to networkmanager named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..c985b07 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
+type NetworkManager_etc_t;
+files_config_file(NetworkManager_etc_t)
+
+type NetworkManager_etc_rw_t;
+files_config_file(NetworkManager_etc_rw_t)
+
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
@@ -35,16 +44,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit NetworkManager_t self:capability sys_module;
+')
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
-allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
@@ -52,9 +66,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
+filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
+
+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
+dev_rw_wireless(NetworkManager_t)
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
-domain_read_confined_domains_state(NetworkManager_t)
+domain_read_all_domains_state(NetworkManager_t)
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
-modutils_domtrans_insmod(NetworkManager_t)
-
seutil_read_config(NetworkManager_t)
sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_signull_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_kill_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
avahi_signal(NetworkManager_t)
avahi_signull(NetworkManager_t)
+ avahi_dbus_chat(NetworkManager_t)
')
optional_policy(`
@@ -172,14 +205,21 @@ optional_policy(`
')
optional_policy(`
- consoletype_exec(NetworkManager_t)
+ consoletype_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ cron_read_system_job_lib_files(NetworkManager_t)
')
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+ init_dbus_chat(NetworkManager_t)
+
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+ consolekit_read_pid_files(NetworkManager_t)
')
')
@@ -191,6 +231,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -202,23 +243,45 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(NetworkManager_t)
+')
+
+optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
+ ipsec_kill_mgmt(NetworkManager_t)
+ ipsec_signal_mgmt(NetworkManager_t)
+ ipsec_signull_mgmt(NetworkManager_t)
+')
+
+optional_policy(`
iptables_domtrans(NetworkManager_t)
')
optional_policy(`
+ netutils_exec_ping(NetworkManager_t)
+')
+
+optional_policy(`
nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
+ nscd_systemctl(NetworkManager_t)
')
optional_policy(`
# Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(NetworkManager_t)
')
optional_policy(`
+ openvpn_read_config(NetworkManager_t)
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
@@ -241,6 +304,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
+ ppp_systemctl(NetworkManager_t)
')
optional_policy(`
@@ -263,6 +327,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
+ vpn_relabelfrom_tun_socket(NetworkManager_t)
')
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
index 15448d5..3587f6a 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswdd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
@@ -7,10 +7,10 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
@@ -19,3 +19,8 @@
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index abe3f7f..9e96501 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
- allow $1 var_yp_t:lnk_file { getattr read };
+ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
allow $1 var_yp_t:file read_file_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
- corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
@@ -243,25 +243,6 @@ interface(`nis_read_ypbind_pid',`
########################################
## <summary>
-## Delete ypbind pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_delete_ypbind_pid',`
- gen_require(`
- type ypbind_t;
- ')
-
- # TODO: add delete pid from dir call to files
- allow $1 ypbind_t:file unlink;
-')
-
-########################################
-## <summary>
## Read ypserv configuration files.
## </summary>
## <param name="domain">
@@ -337,6 +318,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
+## Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
+ type ypbind_unit_file_t;
+ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
+
+########################################
+## <summary>
+## Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_systemctl',`
+ gen_require(`
+ type nis_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
+ ps_process_pattern($1, ypserv_t)
+ ps_process_pattern($1, ypxfr_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an nis environment
## </summary>
@@ -354,10 +386,10 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ type ypbind_t, yppasswdd_t, ypserv_t;
type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
')
allow $1 ypbind_t:process { ptrace signal_perms };
@@ -384,6 +416,7 @@ interface(`nis_admin',`
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
admin_pattern($1, yppasswdd_var_run_t)
@@ -393,4 +426,5 @@ interface(`nis_admin',`
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 4876cae..eabed96 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
+
type yppasswdd_t;
type yppasswdd_exec_t;
init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
@@ -37,7 +40,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
-files_type(ypserv_conf_t)
+files_config_file(ypserv_conf_t)
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
@@ -52,13 +55,17 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
########################################
#
# ypbind local policy
+#
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
-allow ypbind_t self:fifo_file rw_fifo_file_perms;
allow ypbind_t self:process signal_perms;
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
@@ -142,8 +149,8 @@ optional_policy(`
allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
-allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -211,6 +218,10 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(yppasswdd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
@@ -224,8 +235,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
-allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 85188dc..891d4ab 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+ ps_process_pattern(nscd_t, $1)
+')
+
+########################################
+## <summary>
+## Use nscd services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_use',`
+ tunable_policy(`nscd_use_shm',`
+ nscd_shm_use($1)
+ ',`
+ nscd_socket_use($1)
+ ')
')
########################################
@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
- allow $1 nscd_t:unix_stream_socket connectto;
- allow $1 nscd_var_run_t:sock_file rw_file_perms;
+
+ # dg: This may not be required.
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
files_search_pids($1)
allow $1 nscd_t:nscd { getpwd getgrp gethost };
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
type nscd_var_run_t;
')
- dontaudit $1 nscd_var_run_t:dir search;
+ dontaudit $1 nscd_var_run_t:dir search_dir_perms;
')
########################################
@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`nscd_run',`
gen_require(`
@@ -254,6 +277,30 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
+## Execute nscd server in the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nscd_systemctl',`
+ gen_require(`
+ type nscd_unit_file_t;
+ type nscd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, nscd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an nscd environment
## </summary>
@@ -288,4 +335,6 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
+
+ nscd_systemctl($1)
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 7936e09..812f966 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
-policy_module(nscd, 1.10.0)
+policy_module(nscd, 1.10.1)
gen_require(`
class nscd all_nscd_perms;
')
+## <desc>
+## <p>
+## Allow confined applications to use nscd shared memory.
+## </p>
+## </desc>
+gen_tunable(nscd_use_shm, false)
+
########################################
#
# Declarations
@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t)
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -30,7 +40,7 @@ logging_log_file(nscd_log_t)
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability { kill setgid setuid sys_ptrace };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
+ accountsd_dontaudit_rw_fifo_file(nscd_t)
+')
+
+optional_policy(`
cron_read_system_job_tmp_files(nscd_t)
')
@@ -127,3 +143,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
index 23c769c..be5a5b4 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run nslcd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`nslcd_domtrans',`
@@ -93,8 +93,8 @@ interface(`nslcd_stream_connect',`
#
interface(`nslcd_admin',`
gen_require(`
- type nslcd_t, nslcd_initrc_exec_t;
- type nslcd_conf_t, nslcd_var_run_t;
+ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
+ type nslcd_conf_t;
')
ps_process_pattern($1, nslcd_t)
@@ -106,9 +106,9 @@ interface(`nslcd_admin',`
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
+ files_list_etc($1)
+ admin_pattern($1, nslcd_conf_t)
- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
index 4e28d58..1835068 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
files_pid_file(nslcd_var_run_t)
type nslcd_conf_t;
-files_type(nslcd_conf_t)
+files_config_file(nslcd_conf_t)
########################################
#
@@ -24,7 +24,7 @@ files_type(nslcd_conf_t)
#
allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
+allow nslcd_t self:process { setsched signal };
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
@@ -37,9 +37,13 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
files_read_etc_files(nslcd_t)
+files_read_usr_symlinks(nslcd_t)
+files_list_tmp(nslcd_t)
auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
miscfiles_read_localization(nslcd_t)
+
+userdom_read_user_tmp_files(nslcd_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index ded9fb6..9d1e60a 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -51,7 +51,7 @@ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
-files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
+files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir })
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index e79dccc..50202ef 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -10,6 +10,8 @@
/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index e80f8c0..c58528f 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
+#####################################
+## <summary>
+## Allow domain to read ntpd systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_unit_file',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute ntpd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ntp_systemctl',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
+
########################################
## <summary>
## Read and write ntpd shared memory.
@@ -122,6 +165,25 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
+## Allow the domain to read ntpd state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_state',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ntp environment
## </summary>
@@ -140,11 +202,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t;
- type ntpd_initrc_exec_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms getattr };
+ allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
@@ -162,4 +223,6 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
+
+ ntp_systemctl($1)
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..09bb140 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
type ntpd_key_t;
files_type(ntpd_key_t)
@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
+dev_rw_realtime_clock(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
+term_use_unallocated_ttys(ntpd_t)
auth_use_nsswitch(ntpd_t)
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
index ff962dd..c856c64 100644
--- a/policy/modules/services/nut.te
+++ b/policy/modules/services/nut.te
@@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t)
#
allow nut_upsd_t self:capability { setgid setuid dac_override };
+allow nut_upsd_t self:process signal_perms;
allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
@@ -47,7 +48,7 @@ kernel_read_kernel_sysctls(nut_upsd_t)
corenet_tcp_bind_ups_port(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
-corenet_tcp_bind_all_nodes(nut_upsd_t)
+corenet_tcp_bind_generic_node(nut_upsd_t)
files_read_usr_files(nut_upsd_t)
@@ -133,6 +134,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
+dev_read_sysfs(nut_upsdrvctl_t)
dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
index 79a225c..d82b231 100644
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
type nx_server_home_ssh_t, nx_server_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 nx_server_var_lib_t:dir search_dir_perms;
read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
')
########################################
@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',`
type nx_server_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 nx_server_var_lib_t:dir search_dir_perms;
')
@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',`
type nx_server_var_lib_t;
')
+ files_search_var_lib($1)
filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
')
+
+########################################
+## <summary>
+## Transition to nx named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_filetrans_named_content',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582..8b22d08 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
domain_user_exemption_target(nx_server_t)
# we need an extra role because nxserver is called from sshd
# cjp: do we really need this?
+role nx_server_r;
role nx_server_r types nx_server_t;
allow system_r nx_server_r;
@@ -27,6 +28,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# NX server local policy
@@ -36,7 +40,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;
-allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(nx_server_t, nx_server_devpts_t)
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
@@ -50,6 +54,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
@@ -83,10 +90,10 @@ seutil_dontaudit_search_config(nx_server_t)
sysnet_read_config(nx_server_t)
ifdef(`TODO',`
-# clients already have create permissions; the nxclient wants to also have unlink rights
-allow userdomain xdm_tmp_t:sock_file unlink;
-# for a lockfile created by the client process
-allow nx_server_t user_tmpfile:file getattr;
+ # clients already have create permissions; the nxclient wants to also have unlink rights
+ allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
+ # for a lockfile created by the client process
+ allow nx_server_t user_tmpfile:file getattr_file_perms;
')
########################################
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index b4c5f86..0f1549d 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -66,7 +66,7 @@ logging_send_syslog_msg(oav_update_t)
sysnet_read_config(oav_update_t)
-userdom_use_user_terminals(oav_update_t)
+userdom_use_inherited_user_terminals(oav_update_t)
optional_policy(`
cron_system_entry(oav_update_t, oav_update_exec_t)
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index bdf8c89..0132b08 100644
--- a/policy/modules/services/oddjob.fc
+++ b/policy/modules/services/oddjob.fc
@@ -1,4 +1,5 @@
-/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
index bd76ec2..ca6517b 100644
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
@@ -9,9 +9,9 @@
## Execute a domain transition to run oddjob.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`oddjob_domtrans',`
@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
+#####################################
+## <summary>
+## Do not audit attempts to read and write
+## oddjob fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
## <summary>
## Make the specified program domain accessable
@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',`
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',`
allow oddjob_t $1:dbus send_msg;
')
+######################################
+## <summary>
+## Send a SIGCHLD signal to oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oddjob_sigchld',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ allow $1 oddjob_t:process sigchld;
+')
+
########################################
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index cadfc63..c8f4d64 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
type oddjob_t;
type oddjob_exec_t;
-domain_type(oddjob_t)
init_daemon_domain(oddjob_t, oddjob_exec_t)
domain_obj_id_change_exemption(oddjob_t)
domain_role_change_exemption(oddjob_t)
@@ -15,7 +14,6 @@ domain_subj_id_change_exemption(oddjob_t)
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
-domain_type(oddjob_mkhomedir_t)
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
-
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
index bb4fae5..b1b5e51 100644
--- a/policy/modules/services/oident.if
+++ b/policy/modules/services/oident.if
@@ -18,7 +18,7 @@
## </summary>
## </param>
#
-interface(`oident_read_user_content', `
+interface(`oident_read_user_content',`
gen_require(`
type oidentd_home_t;
')
@@ -38,7 +38,7 @@ interface(`oident_read_user_content', `
## </summary>
## </param>
#
-interface(`oident_manage_user_content', `
+interface(`oident_manage_user_content',`
gen_require(`
type oidentd_home_t;
')
@@ -58,7 +58,7 @@ interface(`oident_manage_user_content', `
## </summary>
## </param>
#
-interface(`oident_relabel_user_content', `
+interface(`oident_relabel_user_content',`
gen_require(`
type oidentd_home_t;
')
@@ -66,3 +66,37 @@ interface(`oident_relabel_user_content', `
allow $1 oidentd_home_t:file relabel_file_perms;
userdom_search_user_home_dirs($1)
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an oident environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oident_admin',`
+ gen_require(`
+ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
+ ')
+
+ allow $1 oidentd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, oidentd_t)
+
+ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 oidentd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, oidentd_config_t)
+')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 8845174..98f541f 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
#
allow oidentd_t self:capability { setuid setgid };
-allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
-allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
-allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
+allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
+allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow oidentd_t self:tcp_socket create_stream_socket_perms;
+allow oidentd_t self:udp_socket create_socket_perms;
allow oidentd_t self:unix_dgram_socket { create connect };
allow oidentd_t oidentd_config_t:file read_file_perms;
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
index 9d0a67b..9197ef0 100644
--- a/policy/modules/services/openct.if
+++ b/policy/modules/services/openct.if
@@ -23,9 +23,9 @@ interface(`openct_signull',`
## Execute openct in the caller domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`openct_exec',`
@@ -42,9 +42,9 @@ interface(`openct_exec',`
## Execute a domain transition to run openct.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`openct_domtrans',`
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4..ed5aae9 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
#
## <desc>
-## <p>
-## Allow openvpn to read home directories
-## </p>
+## <p>
+## Allow openvpn to read home directories
+## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs, false)
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
+type openvpn_tmp_t;
+files_tmp_file(openvpn_tmp_t)
+
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
@@ -40,15 +43,14 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
-allow openvpn_t self:process { signal getsched };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
-
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
-allow openvpn_t self:tun_socket create;
+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
+kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t)
auth_use_pam(openvpn_t)
+init_read_utmp(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -112,21 +121,21 @@ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
+ userdom_search_user_home_dirs(openvpn_t)
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(openvpn_t)
- fs_read_nfs_symlinks(openvpn_t)
-')
+ fs_read_nfs_files(openvpn_t)
+')
tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(openvpn_t)
- fs_read_cifs_symlinks(openvpn_t)
-')
+ fs_read_cifs_files(openvpn_t)
+')
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
@@ -138,3 +147,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
+
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc
index 0870c56..6d5fb1d 100644
--- a/policy/modules/services/pads.fc
+++ b/policy/modules/services/pads.fc
@@ -1,10 +1,10 @@
/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
-/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t, s0)
/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
-/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
index 8ac407e..8235fb6 100644
--- a/policy/modules/services/pads.if
+++ b/policy/modules/services/pads.if
@@ -25,10 +25,10 @@
## </param>
## <rolecap/>
#
-interface(`pads_admin', `
+interface(`pads_admin',`
gen_require(`
- type pads_t, pads_config_t;
- type pads_var_run_t, pads_initrc_exec_t;
+ type pads_t, pads_config_t, pads_initrc_exec_t;
+ type pads_var_run_t;
')
allow $1 pads_t:process { ptrace signal_perms };
@@ -39,6 +39,9 @@ interface(`pads_admin', `
role_transition $2 pads_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_pids($1)
admin_pattern($1, pads_var_run_t)
+
+ files_list_etc($1)
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
index b246bdd..07baada 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.0.0)
+policy_module(pads, 1.0.0)
########################################
#
@@ -8,7 +8,6 @@ policy_module(pads, 1.0.0)
type pads_t;
type pads_exec_t;
init_daemon_domain(pads_t, pads_exec_t)
-role system_r types pads_t;
type pads_initrc_exec_t;
init_script_file(pads_initrc_exec_t)
@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
-allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
-allow pads_t self:udp_socket { create ioctl };
-allow pads_t self:unix_dgram_socket { write create connect };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
+allow pads_t self:packet_socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
@@ -48,6 +47,7 @@ corenet_tcp_connect_prelude_port(pads_t)
dev_read_rand(pads_t)
dev_read_urand(pads_t)
+dev_read_sysfs(pads_t)
files_read_etc_files(pads_t)
files_search_spool(pads_t)
diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc
index 87f17e8..63ee18a 100644
--- a/policy/modules/services/pcscd.fc
+++ b/policy/modules/services/pcscd.fc
@@ -1,4 +1,5 @@
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
index 1c2a091..10f264c 100644
--- a/policy/modules/services/pcscd.if
+++ b/policy/modules/services/pcscd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run pcscd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`pcscd_domtrans',`
@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',`
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
')
########################################
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index ceafba6..9eb6967 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -7,7 +7,6 @@ policy_module(pcscd, 1.7.0)
type pcscd_t;
type pcscd_exec_t;
-domain_type(pcscd_t)
init_daemon_domain(pcscd_t, pcscd_exec_t)
# pid files
@@ -25,6 +24,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms;
allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
allow pcscd_t self:unix_dgram_socket create_socket_perms;
allow pcscd_t self:tcp_socket create_stream_socket_perms;
+allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -77,3 +77,7 @@ optional_policy(`
optional_policy(`
rpm_use_script_fds(pcscd_t)
')
+
+optional_policy(`
+ udev_read_db(pcscd_t)
+')
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3185114..4abd429 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -16,7 +16,7 @@ type pegasus_tmp_t;
files_tmp_file(pegasus_tmp_t)
type pegasus_conf_t;
-files_type(pegasus_conf_t)
+files_config_file(pegasus_conf_t)
type pegasus_mof_t;
files_type(pegasus_mof_t)
@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -56,15 +56,19 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
+kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
kernel_read_fs_sysctls(pegasus_t)
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
@@ -95,17 +99,14 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-hostname_exec(pegasus_t)
-
init_rw_utmp(pegasus_t)
init_stream_connect_script(pegasus_t)
@@ -114,17 +115,35 @@ logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t)
-sysnet_read_config(pegasus_t)
-sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
+ hostname_exec(pegasus_t)
+')
+
+optional_policy(`
+ lldpad_dgram_send(pegasus_t)
+')
+
+optional_policy(`
rpm_exec(pegasus_t)
')
optional_policy(`
+ samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(pegasus_t)
+')
+
+optional_policy(`
+ ssh_exec(pegasus_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
@@ -136,3 +155,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
+
+optional_policy(`
+ virt_domtrans(pegasus_t)
+ virt_stream_connect(pegasus_t)
+ virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if
index 8688aae..1bfd8d2 100644
--- a/policy/modules/services/pingd.if
+++ b/policy/modules/services/pingd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run pingd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`pingd_domtrans',`
@@ -55,7 +55,6 @@ interface(`pingd_manage_config',`
files_search_etc($1)
manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
-
')
#######################################
@@ -77,8 +76,8 @@ interface(`pingd_manage_config',`
#
interface(`pingd_admin',`
gen_require(`
- type pingd_t, pingd_etc_t;
- type pingd_initrc_exec_t, pingd_modules_t;
+ type pingd_t, pingd_etc_t, pingd_modules_t;
+ type pingd_initrc_exec_t;
')
allow $1 pingd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
index e9cf8a4..9a7e5dc 100644
--- a/policy/modules/services/pingd.te
+++ b/policy/modules/services/pingd.te
@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t)
# type for config
type pingd_etc_t;
-files_type(pingd_etc_t)
+files_config_file(pingd_etc_t)
type pingd_initrc_exec_t;
init_script_file(pingd_initrc_exec_t)
@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
allow pingd_t self:capability net_raw;
allow pingd_t self:tcp_socket create_stream_socket_perms;
-allow pingd_t self:rawip_socket { write read create bind };
+allow pingd_t self:rawip_socket create_socket_perms;
read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
new file mode 100644
index 0000000..2c7e06f
--- /dev/null
+++ b/policy/modules/services/piranha.fc
@@ -0,0 +1,26 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if
new file mode 100644
index 0000000..548d0a2
--- /dev/null
+++ b/policy/modules/services/piranha.if
@@ -0,0 +1,175 @@
+## <summary>policy for piranha</summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## cluster init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`piranha_domain_template',`
+ gen_require(`
+ attribute piranha_domain;
+ ')
+
+ ##############################
+ #
+ # piranha_$1_t declarations
+ #
+
+ type piranha_$1_t, piranha_domain;
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
+
+ ##############################
+ #
+ # piranha_$1_t local policy
+ #
+
+ allow piranha_$1_t self:process signal_perms;
+
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run fos.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_fos',`
+ gen_require(`
+ type piranha_fos_t, piranha_fos_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run lvsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_lvs',`
+ gen_require(`
+ type piranha_lvs_t, piranha_lvs_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run pulse.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_pulse',`
+ gen_require(`
+ type piranha_pulse_t, piranha_pulse_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+## <summary>
+## Execute pulse server in the pulse domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_pulse_initrc_domtrans',`
+ gen_require(`
+ type piranha_pulse_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read piranha's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`piranha_read_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## piranha log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`piranha_append_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage piranha log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`piranha_manage_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
index 0000000..9c4df9f
--- /dev/null
+++ b/policy/modules/services/piranha.te
@@ -0,0 +1,299 @@
+policy_module(piranha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow piranha-lvs domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_tmpfs_t;
+files_tmpfs_file(piranha_web_tmpfs_t)
+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_config_file(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+optional_policy(`
+ consoletype_exec(piranha_fos_t)
+')
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_piranha_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+files_read_usr_files(piranha_web_t)
+
+optional_policy(`
+ consoletype_exec(piranha_web_t)
+')
+
+optional_policy(`
+ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+allow piranha_lvs_t self:process signal;
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+ corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+ iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:capability net_admin;
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+kernel_read_kernel_sysctls(piranha_pulse_t)
+kernel_read_rpc_sysctls(piranha_pulse_t)
+kernel_read_system_state(piranha_pulse_t)
+kernel_rw_rpc_sysctls(piranha_pulse_t)
+kernel_search_debugfs(piranha_pulse_t)
+kernel_search_network_state(piranha_pulse_t)
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
+consoletype_exec(piranha_pulse_t)
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
+
+domain_read_all_domains_state(piranha_pulse_t)
+domain_getattr_all_domains(piranha_pulse_t)
+#domain_dontaudit_ptrace_all_domains(piranha_pulse_t)
+
+fs_getattr_all_fs(piranha_pulse_t)
+
+sysnet_dns_name_resolve(piranha_pulse_t)
+
+auth_use_nsswitch(piranha_pulse_t)
+
+logging_send_syslog_msg(piranha_pulse_t)
+
+miscfiles_read_localization(piranha_pulse_t)
+
+# various services to failover
+
+optional_policy(`
+ apache_domtrans(piranha_pulse_t)
+ apache_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ ftp_domtrans(piranha_pulse_t)
+ ftp_initrc_domtrans(piranha_pulse_t)
+ ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
+ hostname_exec(piranha_pulse_t)
+')
+
+optional_policy(`
+ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(piranha_pulse_t)
+ mysql_stream_connect(piranha_pulse_t)
+')
+
+optional_policy(`
+ netutils_domtrans(piranha_pulse_t)
+ netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(piranha_pulse_t)
+ postgresql_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(piranha_pulse_t)
+ samba_systemctl(piranha_pulse_t)
+ samba_domtrans_smbd(piranha_pulse_t)
+ samba_domtrans_nmbd(piranha_pulse_t)
+ samba_manage_var_files(piranha_pulse_t)
+ samba_rw_config(piranha_pulse_t)
+ samba_signal_smbd(piranha_pulse_t)
+ samba_signal_nmbd(piranha_pulse_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+optional_policy(`
+ udev_read_db(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+kernel_read_system_state(piranha_domain)
+kernel_read_network_state(piranha_domain)
+
+corenet_all_recvfrom_unlabeled(piranha_domain)
+corenet_all_recvfrom_netlabel(piranha_domain)
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+files_read_etc_files(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+logging_send_syslog_msg(piranha_domain)
+
+miscfiles_read_localization(piranha_domain)
+
+sysnet_read_config(piranha_domain)
diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc
index 5702ca4..08528da 100644
--- a/policy/modules/services/plymouthd.fc
+++ b/policy/modules/services/plymouthd.fc
@@ -5,3 +5,5 @@
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
+
+#/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index 9759ed8..48a5431 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -5,12 +5,12 @@
## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
-interface(`plymouthd_domtrans', `
+interface(`plymouthd_domtrans',`
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
@@ -23,12 +23,12 @@ interface(`plymouthd_domtrans', `
## Execute the plymoth daemon in the current domain
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`plymouthd_exec', `
+interface(`plymouthd_exec',`
gen_require(`
type plymouthd_exec_t;
')
@@ -47,7 +47,7 @@ interface(`plymouthd_exec', `
## </summary>
## </param>
#
-interface(`plymouthd_stream_connect', `
+interface(`plymouthd_stream_connect',`
gen_require(`
type plymouthd_t;
')
@@ -60,12 +60,12 @@ interface(`plymouthd_stream_connect', `
## Execute the plymoth command in the current domain
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`plymouthd_exec_plymouth', `
+interface(`plymouthd_exec_plymouth',`
gen_require(`
type plymouth_exec_t;
')
@@ -78,12 +78,12 @@ interface(`plymouthd_exec_plymouth', `
## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
-interface(`plymouthd_domtrans_plymouth', `
+interface(`plymouthd_domtrans_plymouth',`
gen_require(`
type plymouth_t, plymouth_exec_t;
')
@@ -101,7 +101,7 @@ interface(`plymouthd_domtrans_plymouth', `
## </summary>
## </param>
#
-interface(`plymouthd_search_spool', `
+interface(`plymouthd_search_spool',`
gen_require(`
type plymouthd_spool_t;
')
@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
## </summary>
## </param>
#
-interface(`plymouthd_read_spool_files', `
+interface(`plymouthd_read_spool_files',`
gen_require(`
type plymouthd_spool_t;
')
@@ -140,7 +140,7 @@ interface(`plymouthd_read_spool_files', `
## </summary>
## </param>
#
-interface(`plymouthd_manage_spool_files', `
+interface(`plymouthd_manage_spool_files',`
gen_require(`
type plymouthd_spool_t;
')
@@ -159,7 +159,7 @@ interface(`plymouthd_manage_spool_files', `
## </summary>
## </param>
#
-interface(`plymouthd_search_lib', `
+interface(`plymouthd_search_lib',`
gen_require(`
type plymouthd_var_lib_t;
')
@@ -178,7 +178,7 @@ interface(`plymouthd_search_lib', `
## </summary>
## </param>
#
-interface(`plymouthd_read_lib_files', `
+interface(`plymouthd_read_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
@@ -198,7 +198,7 @@ interface(`plymouthd_read_lib_files', `
## </summary>
## </param>
#
-interface(`plymouthd_manage_lib_files', `
+interface(`plymouthd_manage_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
@@ -217,7 +217,7 @@ interface(`plymouthd_manage_lib_files', `
## </summary>
## </param>
#
-interface(`plymouthd_read_pid_files', `
+interface(`plymouthd_read_pid_files',`
gen_require(`
type plymouthd_var_run_t;
')
@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', `
########################################
## <summary>
+## Allow the specified domain to read
+## to plymouthd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## to plymouthd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an plymouthd environment
## </summary>
@@ -243,18 +285,20 @@ interface(`plymouthd_read_pid_files', `
## </param>
## <rolecap/>
#
-interface(`plymouthd_admin', `
+interface(`plymouthd_admin',`
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
+ allow $1 plymouthd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, plymouthd_t)
+ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
admin_pattern($1, plymouthd_var_lib_t)
+ files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index 06e217d..4f9a575 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1)
type plymouth_t;
type plymouth_exec_t;
application_domain(plymouth_t, plymouth_exec_t)
+role system_r types plymouth_t;
type plymouthd_t;
type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
+files_spool_file(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
+type plymouthd_var_log_t;
+logging_log_file(plymouthd_var_log_t)
+
type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)
@@ -42,6 +46,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
+
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
+term_use_unallocated_ttys(plymouthd_t)
+
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
+userdom_read_admin_home_files(plymouthd_t)
+
+optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
+')
+
+term_use_unallocated_ttys(plymouthd_t)
+
########################################
#
# Plymouth private policy
@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
domain_use_interactive_fds(plymouth_t)
@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
optional_policy(`
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
index 27c739c..c65d18f 100644
--- a/policy/modules/services/policykit.fc
+++ b/policy/modules/services/policykit.fc
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
index 48ff1e8..be00a65 100644
--- a/policy/modules/services/policykit.if
+++ b/policy/modules/services/policykit.if
@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',`
class dbus send_msg;
')
+ ps_process_pattern(policykit_t, $1)
+
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
########################################
## <summary>
-## Execute a domain transition to run polkit_auth.
+## Send and receive messages from
+## policykit over dbus.
## </summary>
## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_dbus_chat_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ class dbus send_msg;
+ ')
+
+ ps_process_pattern(policykit_auth_t, $1)
+
+ allow $1 policykit_auth_t:dbus send_msg;
+ allow policykit_auth_t $1:dbus send_msg;
+')
+
+########################################
## <summary>
-## Domain allowed to transition.
+## Execute a domain transition to run polkit_auth.
## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`policykit_domtrans_auth',`
@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`policykit_run_auth',`
gen_require(`
@@ -62,6 +88,9 @@ interface(`policykit_run_auth',`
policykit_domtrans_auth($1)
role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
')
########################################
@@ -69,9 +98,9 @@ interface(`policykit_run_auth',`
## Execute a domain transition to run polkit_grant.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`policykit_domtrans_grant',`
@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',`
## Execute a domain transition to run polkit_resolve.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`policykit_domtrans_resolve',`
@@ -206,4 +235,50 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ optional_policy(`
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## The per role template for the policykit module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+template(`policykit_role',`
+ policykit_run_auth($2, $1)
+ policykit_run_grant($2, $1)
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
+
+########################################
+## <summary>
+## Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 1e7169d..05409ab 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
+type policykit_tmp_t;
+files_tmp_file(policykit_tmp_t)
+
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
@@ -35,11 +38,11 @@ files_pid_file(policykit_var_run_t)
# policykit local policy
#
-allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr signal };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
policykit_domtrans_auth(policykit_t)
@@ -56,10 +59,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
+domain_read_all_domains_state(policykit_t)
+
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
+files_dontaudit_search_all_mountpoints(policykit_t)
+
+fs_list_inotifyfs(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -67,45 +76,90 @@ logging_send_syslog_msg(policykit_t)
miscfiles_read_localization(policykit_t)
+userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
+
+optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(policykit_t)
+ ')
+')
+
+optional_policy(`
+ consolekit_list_pid_files(policykit_t)
+ consolekit_read_pid_files(policykit_t)
+')
+
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
########################################
#
# polkit_auth local policy
#
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
can_exec(policykit_auth_t, policykit_auth_exec_t)
-corecmd_search_bin(policykit_auth_t)
+corecmd_exec_bin(policykit_auth_t)
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
+manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
+files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir })
+
manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-kernel_read_system_state(policykit_auth_t)
+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+
+dev_read_video_dev(policykit_auth_t)
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
+
+fs_getattr_all_fs(polkit_auth_t)
+fs_search_tmpfs(polkit_auth_t)
auth_use_nsswitch(policykit_auth_t)
+auth_rw_var_auth(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
miscfiles_read_localization(policykit_auth_t)
+miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
- dbus_system_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
@@ -118,6 +172,14 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
+optional_policy(`
+ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
+')
+
########################################
#
# polkit_grant local policy
@@ -125,7 +187,8 @@ optional_policy(`
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
-allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
@@ -155,9 +218,12 @@ miscfiles_read_localization(policykit_grant_t)
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
- dbus_system_bus_client(policykit_grant_t)
+ cron_manage_system_job_lib_files(policykit_grant_t)
+')
optional_policy(`
+ dbus_system_bus_client(policykit_grant_t)
+ optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
')
@@ -169,7 +235,8 @@ optional_policy(`
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
-allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
@@ -207,4 +274,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
-
diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc
new file mode 100644
index 0000000..8a06f66
--- /dev/null
+++ b/policy/modules/services/polipo.fc
@@ -0,0 +1,14 @@
+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
+
+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
+
+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+
+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
+
+/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
+
+/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
+
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
new file mode 100644
index 0000000..b11f37a
--- /dev/null
+++ b/policy/modules/services/polipo.if
@@ -0,0 +1,185 @@
+## <summary>Caching web proxy.</summary>
+
+########################################
+## <summary>
+## Role access for polipo session.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`polipo_role',`
+ gen_require(`
+ type polipo_session_t, polipo_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ role $1 types polipo_session_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ allow $2 polipo_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, polipo_session_t)
+
+ tunable_policy(`polipo_session_users',`
+ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
+ ',`
+ can_exec($2, polipo_exec_t)
+ ')
+')
+
+########################################
+## <summary>
+## Create configuration files in user
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polipo_named_filetrans_config_home_files',`
+ gen_require(`
+ type polipo_config_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+## <summary>
+## Create cache directories in user
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polipo_named_filetrans_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
+')
+
+########################################
+## <summary>
+## Create configuration files in admin
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polipo_named_filetrans_admin_config_home_files',`
+ gen_require(`
+ type polipo_config_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+## <summary>
+## Create cache directories in admin
+## home directories with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
+ gen_require(`
+ type polipo_cache_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
+')
+
+########################################
+## <summary>
+## Create log files with a named file
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polipo_named_filetrans_log_files',`
+ gen_require(`
+ type polipo_log_t;
+ ')
+
+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
+')
+
+########################################
+## <summary>
+## Administrate an polipo environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`polipo_admin',`
+ gen_require(`
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ ')
+
+ allow $1 polipo_t:process { ptrace signal_perms };
+ ps_process_pattern($1, polipo_t)
+
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 polipo_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, polipo_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, polipo_log_t)
+
+ files_list_var($1)
+ admin_pattern($1, polipo_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
index 0000000..89ab1b6
--- /dev/null
+++ b/policy/modules/services/polipo.te
@@ -0,0 +1,159 @@
+policy_module(polipo, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether polipo can
+## access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(polipo_use_cifs, false)
+
+## <desc>
+## <p>
+## Determine whether Polipo can
+## access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(polipo_use_nfs, false)
+
+## <desc>
+## <p>
+## Determine whether Polipo session daemon
+## can bind tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Determine whether calling user domains
+## can execute Polipo daemon in the
+## polipo_session_t domain.
+## </p>
+## </desc>
+gen_tunable(polipo_session_users, false)
+
+## <desc>
+## <p>
+## Determine whether Polipo session daemon
+## can send syslog messages.
+## </p>
+## </desc>
+gen_tunable(polipo_session_send_syslog_msg, false)
+
+attribute polipo_daemon;
+
+type polipo_t, polipo_daemon;
+type polipo_exec_t;
+init_daemon_domain(polipo_t, polipo_exec_t)
+
+type polipo_initrc_exec_t;
+init_script_file(polipo_initrc_exec_t)
+
+type polipo_etc_t;
+files_config_file(polipo_etc_t)
+
+type polipo_cache_t;
+files_type(polipo_cache_t)
+
+type polipo_log_t;
+logging_log_file(polipo_log_t)
+
+type polipo_pid_t;
+files_pid_file(polipo_pid_t)
+
+type polipo_session_t, polipo_daemon;
+application_domain(polipo_session_t, polipo_exec_t)
+ubac_constrained(polipo_session_t)
+
+type polipo_config_home_t;
+userdom_user_home_content(polipo_config_home_t)
+
+type polipo_cache_home_t;
+userdom_user_home_content(polipo_cache_home_t)
+
+########################################
+#
+# Global local policy
+#
+
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
+
+corenet_all_recvfrom_netlabel(polipo_daemon)
+corenet_all_recvfrom_unlabeled(polipo_daemon)
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+
+files_read_usr_files(polipo_daemon)
+
+fs_search_auto_mountpoints(polipo_daemon)
+
+miscfiles_read_localization(polipo_daemon)
+
+########################################
+#
+# Polipo local policy
+#
+
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
+
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+
+append_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
+
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
+
+auth_use_nsswitch(polipo_t)
+
+logging_send_syslog_msg(polipo_t)
+
+tunable_policy(`polipo_use_cifs',`
+ fs_manage_cifs_files(polipo_t)
+')
+
+tunable_policy(`polipo_use_nfs',`
+ fs_manage_nfs_files(polipo_t)
+')
+
+########################################
+#
+# Polipo session local policy
+#
+
+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
+
+auth_use_nsswitch(polipo_session_t)
+
+userdom_use_user_terminals(polipo_session_t)
+
+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
+')
+
+tunable_policy(`polipo_session_send_syslog_msg',`
+ logging_send_syslog_msg(polipo_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(polipo_session_t)
+',`
+ fs_dontaudit_manage_nfs_files(polipo_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(polipo_session_t)
+',`
+ fs_dontaudit_manage_cifs_files(polipo_session_t)
+')
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 333a1fe..e599723 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t)
type portmap_helper_t;
type portmap_helper_exec_t;
init_system_domain(portmap_helper_t, portmap_helper_exec_t)
-role system_r types portmap_helper_t;
type portmap_tmp_t;
files_tmp_file(portmap_tmp_t)
@@ -75,6 +74,8 @@ domain_use_interactive_fds(portmap_t)
files_read_etc_files(portmap_t)
+auth_use_nsswitch(portmap_t)
+
logging_send_syslog_msg(portmap_t)
miscfiles_read_localization(portmap_t)
@@ -85,14 +86,6 @@ userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)
optional_policy(`
- nis_use_ypbind(portmap_t)
-')
-
-optional_policy(`
- nscd_socket_use(portmap_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(portmap_t)
')
@@ -142,7 +135,7 @@ logging_send_syslog_msg(portmap_helper_t)
sysnet_read_config(portmap_helper_t)
-userdom_use_user_terminals(portmap_helper_t)
+userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
optional_policy(`
diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
index 4313a6f..1d9fa76 100644
--- a/policy/modules/services/portreserve.fc
+++ b/policy/modules/services/portreserve.fc
@@ -1,6 +1,7 @@
-/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+
+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
index 152af92..1594066 100644
--- a/policy/modules/services/portreserve.te
+++ b/policy/modules/services/portreserve.te
@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t;
init_script_file(portreserve_initrc_exec_t)
type portreserve_etc_t;
-files_type(portreserve_etc_t)
+files_config_file(portreserve_etc_t)
type portreserve_var_run_t;
files_pid_file(portreserve_var_run_t)
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 69c331e..0555635 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -79,7 +79,7 @@ fs_getattr_xattr_fs(portslave_t)
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
-term_use_all_ttys(portslave_t)
+term_use_all_inherited_ttys(portslave_t)
term_search_ptys(portslave_t)
auth_rw_login_records(portslave_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index a3e85c9..c0e0959 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
# postfix
-/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -16,22 +17,23 @@ ifdef(`distro_redhat', `
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
', `
-/usr/lib(64)?/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib(64)?/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib(64)?/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib(64)?/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib(64)?/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib(64)?/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib(64)?/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib(64)?/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -42,9 +44,11 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 46bee12..c22af86 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
+ allow postfix_$1_t self:capability { sys_nice sys_chroot };
dontaudit postfix_$1_t self:capability sys_tty_config;
- allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:process { signal_perms setpgid setsched };
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
+ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock };
allow postfix_$1_t postfix_master_t:process sigchld;
@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
+ files_read_usr_files(postfix_$1_t)
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
- allow postfix_$1_t self:capability { setuid setgid dac_override };
+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
+
+ application_domain(postfix_$1_t, postfix_$1_exec_t)
')
########################################
@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
- read_files_pattern($1, postfix_local_t, postfix_local_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_local_t)
')
########################################
@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
- read_files_pattern($1, postfix_master_t, postfix_master_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_master_t)
+')
+
+########################################
+## <summary>
+## Use postfix master process file
+## file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_use_fds_master',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ allow $1 postfix_master_t:fd use;
')
########################################
@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
+
+########################################
+## <summary>
+## Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_initrc_domtrans',`
+ gen_require(`
+ type postfix_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
########################################
## <summary>
## Execute the master postfix program in the
@@ -404,7 +448,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`postfix_stream_connect_master',`
gen_require(`
@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
+## Allow read/write postfix master pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_rw_master_pipes',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
-interface(`posftix_exec_postqueue',`
+interface(`postfix_exec_postqueue',`
gen_require(`
type postfix_postqueue_exec_t;
')
@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+########################################
+## <summary>
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir search_dir_perms;
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
')
@@ -558,10 +638,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir list_dir_perms;
+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
')
@@ -577,11 +657,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an postfix environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_admin',`
+ gen_require(`
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
+ allow $1 postfix_bounce_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_bounce_t)
+
+ allow $1 postfix_cleanup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_cleanup_t)
+
+ allow $1 postfix_local_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_local_t)
+
+ allow $1 postfix_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_master_t)
+
+ allow $1 postfix_pickup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_pickup_t)
+
+ allow $1 postfix_qmgr_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_qmgr_t)
+
+ allow $1 postfix_smtpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
+
+ postfix_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postfix_data_t)
+
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, postfix_spool_type)
+
+ admin_pattern($1, postfix_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
+
+ admin_pattern($1, postfix_public_t)
+')
+
+########################################
+## <summary>
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index a32c4b3..318ef45 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
# Declarations
#
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, true)
+
+attribute postfix_spool_type;
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
@@ -12,8 +20,8 @@ attribute postfix_user_domtrans;
postfix_server_domain_template(bounce)
-type postfix_spool_bounce_t;
-files_type(postfix_spool_bounce_t)
+type postfix_spool_bounce_t, postfix_spool_type;
+files_spool_file(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
@@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t;
# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
+type postfix_initrc_exec_t;
+init_script_file(postfix_initrc_exec_t)
+
postfix_server_domain_template(pickup)
postfix_server_domain_template(pipe)
@@ -49,6 +60,7 @@ postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
+mta_mailserver_user_agent(postfix_postqueue_t)
type postfix_private_t;
files_type(postfix_private_t)
@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
-type postfix_spool_t;
-files_type(postfix_spool_t)
+type postfix_spool_t, postfix_spool_type;
+files_spool_file(postfix_spool_t)
-type postfix_spool_maildrop_t;
-files_type(postfix_spool_maildrop_t)
+type postfix_spool_maildrop_t, postfix_spool_type;
+files_spool_file(postfix_spool_maildrop_t)
-type postfix_spool_flush_t;
-files_type(postfix_spool_flush_t)
+type postfix_spool_flush_t, postfix_spool_type;
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
files_type(postfix_public_t)
@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t self:process setrlimit;
+allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
can_exec(postfix_master_t, postfix_exec_t)
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr;
+allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
+
+mcs_file_read_all(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
-allow postfix_bounce_t postfix_public_t:dir search;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
@@ -264,8 +293,8 @@ optional_policy(`
# Postfix local local policy
#
-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
+# Handle vacation script
+mta_send_mail(postfix_local_t)
-domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-# Might be a leak, but I need a postfix expert to explain
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+userdom_read_user_home_content_files(postfix_local_t)
+userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
+')
optional_policy(`
clamav_search_lib(postfix_local_t)
@@ -297,6 +333,10 @@ optional_policy(`
')
optional_policy(`
+ dspam_domtrans(postfix_local_t)
+')
+
+optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
@@ -304,9 +344,22 @@ optional_policy(`
')
optional_policy(`
+ nagios_search_spool(postfix_local_t)
+')
+
+optional_policy(`
procmail_domtrans(postfix_local_t)
')
+optional_policy(`
+ sendmail_rw_pipes(postfix_local_t)
+')
+
+optional_policy(`
+ zarafa_domtrans_deliver(postfix_local_t)
+ zarafa_stream_connect_server(postfix_local_t)
+')
+
########################################
#
# Postfix map local policy
@@ -372,6 +425,7 @@ optional_policy(`
# Postfix pickup local policy
#
+allow postfix_pickup_t self:fifo_file rw_fifo_file_perms;
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
@@ -379,19 +433,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+
postfix_list_spool(postfix_pickup_t)
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+mcs_file_read_all(postfix_pickup_t)
+mcs_file_write_all(postfix_pickup_t)
+
########################################
#
# Postfix pipe local policy
#
-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
allow postfix_pipe_t self:process setrlimit;
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+corecmd_exec_bin(postfix_pipe_t)
+
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
@@ -420,6 +483,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
+ spamassassin_kill_client(postfix_pipe_t)
')
optional_policy(`
@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+mcs_file_read_all(postfix_postdrop_t)
+mcs_file_write_all(postfix_postdrop_t)
+
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -507,6 +577,8 @@ optional_policy(`
# Postfix qmgr local policy
#
+allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
+
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
+mcs_file_read_all(postfix_showq_t)
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
@@ -565,6 +643,14 @@ optional_policy(`
')
optional_policy(`
+ dovecot_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
+ dspam_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
milter_stream_connect_all(postfix_smtp_t)
')
@@ -588,10 +674,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+fs_getattr_all_fs(postfix_smtpd_t)
+
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
+ dovecot_stream_connect(postfix_smtpd_t)
')
optional_policy(`
@@ -611,8 +703,8 @@ optional_policy(`
# Postfix virtual local policy
#
-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t self:process { setsched setrlimit };
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -630,3 +722,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
+userdom_manage_user_home_dirs(postfix_virtual_t)
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
index feae93b..d960d3f 100644
--- a/policy/modules/services/postfixpolicyd.if
+++ b/policy/modules/services/postfixpolicyd.if
@@ -20,8 +20,7 @@
interface(`postfixpolicyd_admin',`
gen_require(`
type postfix_policyd_t, postfix_policyd_conf_t;
- type postfix_policyd_var_run_t;
- type postfix_policyd_initrc_exec_t;
+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
allow $1 postfix_policyd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
index 7257526..7d73656 100644
--- a/policy/modules/services/postfixpolicyd.te
+++ b/policy/modules/services/postfixpolicyd.te
@@ -23,14 +23,14 @@ files_pid_file(postfix_policyd_var_run_t)
# Local Policy
#
-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
allow postfix_policyd_t self:process setrlimit;
-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index f03fad4..1865d8f 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -11,9 +11,9 @@
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 09aeffa..f8a0d88 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
## </summary>
## </param>
## <param name="user_domain">
-## <summary>
+## <summary>
## The type of the user domain.
## </summary>
## </param>
@@ -51,15 +51,6 @@ interface(`postgresql_role',`
# Client local policy
#
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
@@ -88,6 +79,16 @@ interface(`postgresql_role',`
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
')
########################################
@@ -286,7 +287,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
- allow $1 postgresql_db_t:dir search;
+ allow $1 postgresql_db_t:dir search_dir_perms;
')
########################################
@@ -298,14 +299,16 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
+#
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
')
- allow $1 postgresql_db_t:dir rw_dir_perms;
- allow $1 postgresql_db_t:file rw_file_perms;
- allow $1 postgresql_db_t:lnk_file { getattr read };
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
+ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
+ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
')
########################################
@@ -395,7 +398,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`postgresql_stream_connect',`
gen_require(`
@@ -403,10 +405,8 @@ interface(`postgresql_stream_connect',`
')
files_search_pids($1)
- allow $1 postgresql_t:unix_stream_socket connectto;
- allow $1 postgresql_var_run_t:sock_file write;
- # Some versions of postgresql put the sock file in /tmp
- allow $1 postgresql_tmp_t:sock_file write;
+ files_search_tmp($1)
+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
@@ -468,6 +468,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
+
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
@@ -492,6 +493,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+
')
########################################
@@ -531,13 +533,10 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
- attribute sepgsql_admin_type;
- attribute sepgsql_client_type;
-
- type postgresql_t, postgresql_var_run_t;
- type postgresql_tmp_t, postgresql_db_t;
- type postgresql_etc_t, postgresql_log_t;
- type postgresql_initrc_exec_t;
+ attribute sepgsql_admin_type, sepgsql_client_type;
+ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
+ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
+ type postgresql_etc_t;
')
typeattribute $1 sepgsql_admin_type;
@@ -550,14 +549,19 @@ interface(`postgresql_admin',`
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
+ files_list_var_lib($1)
admin_pattern($1, postgresql_db_t)
+ files_list_etc($1)
admin_pattern($1, postgresql_etc_t)
+ logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
+ files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 4a5387a..acf8ed1 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
#
## <desc>
-## <p>
-## Allow unprived users to execute DDL statement
-## </p>
+## <p>
+## Allow unprivileged users to execute DDL statement
+## </p>
## </desc>
gen_tunable(sepgsql_enable_users_ddl, true)
## <desc>
-## <p>
-## Allow database admins to execute DML statement
-## </p>
+## <p>
+## Allow database admins to execute DML statement
+## </p>
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
@@ -307,8 +307,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
-files_manage_etc_files(postgresql_t)
-files_search_etc(postgresql_t)
+files_read_etc_files(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
index ad15fde..6f55445 100644
--- a/policy/modules/services/postgrey.if
+++ b/policy/modules/services/postgrey.if
@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
+ files_search_spool($1)
')
########################################
@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
type postgrey_spool_t;
')
+ files_search_spool($1)
allow $1 postgrey_spool_t:dir search_dir_perms;
')
@@ -57,9 +58,8 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
- type postgrey_t, postgrey_etc_t;
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
type postgrey_var_lib_t, postgrey_var_run_t;
- type postgrey_initrc_exec_t;
')
allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index db843e2..4389e81 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
type postgrey_spool_t;
-files_type(postgrey_spool_t)
+files_spool_file(postgrey_spool_t)
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 2d82c6d..adf5731 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -11,11 +11,14 @@
# Fix /etc/ppp {up,down} family scripts (see man pppd)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
#
# /sbin
#
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
#
@@ -34,5 +37,7 @@
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+
/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index b524673..d3f932f 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
## </summary>
## </param>
#
-#
interface(`ppp_kill',`
gen_require(`
type pppd_t;
@@ -180,8 +179,7 @@ interface(`ppp_run',`
')
ppp_domtrans($1)
- role $2 types pppd_t;
- role $2 types pptp_t;
+ role $2 types { pppd_t pptp_t };
optional_policy(`
ddclient_run(pppd_t, $2)
@@ -281,7 +279,8 @@ interface(`ppp_read_pid_files',`
type pppd_var_run_t;
')
- allow $1 pppd_var_run_t:file read_file_perms;
+ files_search_pids($1)
+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
@@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',`
type pppd_var_run_t;
')
+ files_search_pids($1)
allow $1 pppd_var_run_t:file manage_file_perms;
')
@@ -340,6 +340,30 @@ interface(`ppp_initrc_domtrans',`
########################################
## <summary>
+## Execute pppd server in the pppd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ppp_systemctl',`
+ gen_require(`
+ type pppd_unit_file_t;
+ type pppd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, pppd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ppp environment
## </summary>
@@ -348,21 +372,27 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
- type pppd_etc_t, pppd_secret_t;
- type pppd_etc_rw_t, pppd_var_run_t;
-
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
- type pppd_initrc_exec_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
')
- allow $1 pppd_t:process { ptrace signal_perms getattr };
+ allow $1 pppd_t:process { ptrace signal_perms };
ps_process_pattern($1, pppd_t)
+ allow $1 pptp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pptp_t)
+
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
@@ -374,6 +404,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
+ files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
@@ -386,10 +417,9 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
- allow $1 pptp_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, pptp_t)
-
admin_pattern($1, pptp_log_t)
admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2af42e7..392bc4b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
#
## <desc>
-## <p>
-## Allow pppd to load kernel modules for certain modems
-## </p>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
## </desc>
gen_tunable(pppd_can_insmod, false)
## <desc>
-## <p>
-## Allow pppd to be run for a regular user
-## </p>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
## </desc>
gen_tunable(pppd_for_user, false)
@@ -39,6 +39,9 @@ files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)
@@ -70,9 +73,9 @@ files_pid_file(pptp_var_run_t)
# PPPD Local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched signal };
+allow pppd_t self:process { getsched setsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -84,28 +87,29 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
-allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
allow pppd_t pppd_etc_t:file read_file_perms;
-allow pppd_t pppd_etc_t:lnk_file { getattr read };
+allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
# Automatically label newly created files under /etc/ppp with this type
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file manage_file_perms;
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
logging_log_filetrans(pppd_t, pppd_log_t, file)
manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
-files_pid_filetrans(pppd_t, pppd_var_run_t, file)
+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
allow pppd_t pptp_t:process signal;
@@ -166,6 +170,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
+auth_domtrans_chk_passwd(pppd_t)
+auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
@@ -176,7 +182,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
@@ -187,13 +193,15 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
+ tunable_policy(`pppd_can_insmod',`
modutils_domtrans_insmod_uncond(pppd_t)
')
')
optional_policy(`
mta_send_mail(pppd_t)
+ mta_system_content(pppd_etc_t)
+ mta_system_content(pppd_etc_rw_t)
')
optional_policy(`
@@ -243,14 +251,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
kernel_list_proc(pptp_t)
+kernel_signal(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
+kernel_signal(pptp_t)
dev_read_sysfs(pptp_t)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..77ef768 100644
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run prelude.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_domtrans',`
@@ -23,9 +23,9 @@ interface(`prelude_domtrans',`
## Execute a domain transition to run prelude_audisp.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_domtrans_audisp',`
@@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',`
## Signal the prelude_audisp domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed acccess.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_signal_audisp',`
@@ -78,9 +78,9 @@ interface(`prelude_read_spool',`
## Manage to prelude-manager spool files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`prelude_manage_spool',`
@@ -112,13 +112,10 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
- type prelude_t, prelude_spool_t;
- type prelude_var_run_t, prelude_var_lib_t;
- type prelude_audisp_t, prelude_audisp_var_run_t;
- type prelude_initrc_exec_t;
-
- type prelude_lml_t, prelude_lml_tmp_t;
- type prelude_lml_var_run_t;
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
@@ -135,10 +132,17 @@ interface(`prelude_admin',`
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_spool($1)
admin_pattern($1, prelude_spool_t)
+
+ files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
+
+ files_list_pids($1)
admin_pattern($1, prelude_var_run_t)
admin_pattern($1, prelude_audisp_var_run_t)
- admin_pattern($1, prelude_lml_tmp_t)
admin_pattern($1, prelude_lml_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
index b1bc02c..e0c0f70 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
type prelude_spool_t;
-files_type(prelude_spool_t)
+files_spool_file(prelude_spool_t)
type prelude_log_t;
logging_log_file(prelude_log_t)
@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
type prelude_correlator_t;
type prelude_correlator_exec_t;
init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
-role system_r types prelude_correlator_t;
type prelude_correlator_config_t;
files_config_file(prelude_correlator_config_t)
@@ -210,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t)
#
allow prelude_lml_t self:capability dac_override;
-allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
-allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
@@ -236,11 +235,12 @@ kernel_read_sysctl(prelude_lml_t)
corecmd_exec_bin(prelude_lml_t)
+corenet_all_recvfrom_unlabeled(prelude_lml_t)
+corenet_all_recvfrom_netlabel(prelude_lml_t)
corenet_tcp_sendrecv_generic_if(prelude_lml_t)
corenet_tcp_sendrecv_generic_node(prelude_lml_t)
corenet_tcp_recvfrom_netlabel(prelude_lml_t)
corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
-corenet_sendrecv_unlabeled_packets(prelude_lml_t)
corenet_tcp_connect_prelude_port(prelude_lml_t)
dev_read_rand(prelude_lml_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 2dbf4d4..28d7fe5 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0)
#
## <desc>
-## <p>
-## Allow privoxy to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-## </p>
+## <p>
+## Allow privoxy to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
## </desc>
gen_tunable(privoxy_connect_any, false)
@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
-kernel_read_system_state(privoxy_t)
kernel_read_kernel_sysctls(privoxy_t)
+kernel_read_network_state(privoxy_t)
+kernel_read_system_state(privoxy_t)
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
-userdom_use_user_terminals(privoxy_t)
+userdom_use_inherited_user_terminals(privoxy_t)
tunable_policy(`privoxy_connect_any',`
corenet_tcp_connect_all_ports(privoxy_t)
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621..4b36a13 100644
--- a/policy/modules/services/procmail.fc
+++ b/policy/modules/services/procmail.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index b64b02f..166e9c3 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',`
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
+
+########################################
+## <summary>
+## Read procmail home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_home_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 29b9295..6451f82 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;
+type procmail_home_t;
+userdom_user_home_content(procmail_home_t)
+
type procmail_log_t;
logging_log_file(procmail_log_t)
@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
can_exec(procmail_t, procmail_exec_t)
# Write log to /var/log/procmail.log or /var/log/procmail/.*
-allow procmail_t procmail_log_t:dir setattr;
+allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -75,10 +78,20 @@ files_search_pids(procmail_t)
# for spamassasin
files_read_usr_files(procmail_t)
+application_exec_all(procmail_t)
+
+init_read_utmp(procmail_t)
+
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
miscfiles_read_localization(procmail_t)
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
+userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
+
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_user_home_dirs(procmail_t)
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
@@ -125,6 +138,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
+ postfix_rw_master_pipes(procmail_t)
+')
+
+optional_policy(`
+ nagios_search_spool(procmail_t)
')
optional_policy(`
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index bc329d1..0589f97 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
files_search_etc($1)
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
manage_files_pattern($1, psad_etc_t, psad_etc_t)
-
')
########################################
@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
########################################
## <summary>
-## Read psad PID files.
+## Read and write psad PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -176,6 +175,45 @@ interface(`psad_append_log',`
########################################
## <summary>
+## Allow the specified domain to write to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_write_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to setattr to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_setattr_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
## Read and write psad fifo files.
## </summary>
## <param name="domain">
@@ -186,7 +224,7 @@ interface(`psad_append_log',`
#
interface(`psad_rw_fifo_file',`
gen_require(`
- type psad_t;
+ type psad_t, psad_var_lib_t;
')
files_search_var_lib($1)
@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',`
#######################################
## <summary>
+## Allow setattr to psad fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_setattr_fifo_file',`
+ gen_require(`
+ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 psad_var_lib_t:fifo_file setattr;
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
## Read and write psad tmp files.
## </summary>
## <param name="domain">
@@ -233,7 +291,7 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
- type psad_initrc_exec_t, psad_var_lib_t;
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
type psad_tmp_t;
')
@@ -245,18 +303,18 @@ interface(`psad_admin',`
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, psad_etc_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, psad_var_run_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, psad_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, psad_var_lib_t)
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, psad_tmp_t)
')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
index d4000e0..f35afa4 100644
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
# config files
type psad_etc_t;
-files_type(psad_etc_t)
+files_config_file(psad_etc_t)
type psad_initrc_exec_t;
init_script_file(psad_initrc_exec_t)
@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t)
allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
dontaudit psad_t self:capability sys_tty_config;
-allow psad_t self:process signull;
+allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
allow psad_t self:rawip_socket create_socket_perms;
@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
# pid file
+manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t)
manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
-files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
+files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file })
# tmp files
manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
@@ -85,13 +86,12 @@ corenet_sendrecv_whois_client_packets(psad_t)
dev_read_urand(psad_t)
files_read_etc_runtime_files(psad_t)
+files_read_usr_files(psad_t)
fs_getattr_all_fs(psad_t)
auth_use_nsswitch(psad_t)
-iptables_domtrans(psad_t)
-
logging_read_generic_logs(psad_t)
logging_read_syslog_config(psad_t)
logging_send_syslog_msg(psad_t)
@@ -101,6 +101,10 @@ miscfiles_read_localization(psad_t)
sysnet_exec_ifconfig(psad_t)
optional_policy(`
+ iptables_domtrans(psad_t)
+')
+
+optional_policy(`
mta_send_mail(psad_t)
mta_read_queue(psad_t)
')
diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
index 2f1e529..8c0b242 100644
--- a/policy/modules/services/puppet.fc
+++ b/policy/modules/services/puppet.fc
@@ -3,6 +3,7 @@
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
index 2855a44..58bb459 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -8,6 +8,53 @@
## </p>
## </desc>
+########################################
+## <summary>
+## Execute puppetca in the puppetca
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`puppet_domtrans_puppetca',`
+ gen_require(`
+ type puppetca_t, puppetca_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, puppetca_exec_t, puppetca_t)
+')
+
+#####################################
+## <summary>
+## Execute puppetca in the puppetca
+## domain and allow the specified
+## role the puppetca domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`puppet_run_puppetca',`
+ gen_require(`
+ type puppetca_t, puppetca_exec_t;
+ ')
+
+ puppet_domtrans_puppetca($1)
+ role $2 types puppetca_t;
+')
+
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
@@ -21,11 +68,87 @@
## </summary>
## </param>
#
-interface(`puppet_rw_tmp', `
+interface(`puppet_rw_tmp',`
gen_require(`
type puppet_tmp_t;
')
- allow $1 puppet_tmp_t:file rw_file_perms;
+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
files_search_tmp($1)
')
+
+################################################
+## <summary>
+## Read Puppet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_read_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
+
+ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
+')
+
+###############################################
+## <summary>
+## Manage Puppet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_manage_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
+
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search puppet's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_search_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 puppet_log_t:dir search_dir_perms;
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to search puppet's pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_search_pid',`
+ gen_require(`
+ type puppet_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 64c5f95..5f6e7b8 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
#
## <desc>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
+## </desc>
+gen_tunable(puppet_manage_all_files, false)
+
+## <desc>
## <p>
-## Allow Puppet client to manage all file
-## types.
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
## </p>
## </desc>
-gen_tunable(puppet_manage_all_files, false)
+gen_tunable(puppetmaster_use_db, false)
type puppet_t;
type puppet_exec_t;
@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
+type puppetca_t;
+type puppetca_exec_t;
+application_domain(puppetca_t, puppetca_exec_t)
+role system_r types puppetca_t;
+
type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
- auth_manage_all_files_except_shadow(puppet_t)
+ files_manage_non_security_files(puppet_t)
')
optional_policy(`
@@ -144,6 +156,10 @@ optional_policy(`
')
optional_policy(`
+ mount_domtrans(puppet_t)
+')
+
+optional_policy(`
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
@@ -162,7 +178,60 @@ optional_policy(`
########################################
#
-# Pupper master personal policy
+# PuppetCA personal policy
+#
+
+allow puppetca_t self:capability { dac_override setgid setuid };
+allow puppetca_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
+manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
+
+allow puppetca_t puppet_log_t:dir search_dir_perms;
+
+allow puppetca_t puppet_var_run_t:dir search_dir_perms;
+
+kernel_read_system_state(puppetca_t)
+# Maybe dontaudit this like we did with other puppet domains?
+kernel_read_kernel_sysctls(puppetca_t)
+
+corecmd_exec_bin(puppetca_t)
+corecmd_exec_shell(puppetca_t)
+
+dev_read_urand(puppetca_t)
+dev_search_sysfs(puppetca_t)
+
+files_read_etc_files(puppetca_t)
+files_search_var_lib(puppetca_t)
+
+selinux_validate_context(puppetca_t)
+
+logging_search_logs(puppetca_t)
+
+miscfiles_read_localization(puppetca_t)
+miscfiles_read_generic_certs(puppetca_t)
+
+seutil_read_file_contexts(puppetca_t)
+
+optional_policy(`
+ hostname_exec(puppetca_t)
+')
+
+optional_policy(`
+ mta_sendmail_access_check(puppetca_t)
+')
+
+optional_policy(`
+ usermanage_access_check_passwd(puppetca_t)
+ usermanage_access_check_useradd(puppetca_t)
+')
+
+########################################
+#
+# Puppet master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
-allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
-allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
+kernel_read_kernel_sysctls(puppetmaster_t)
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
+corenet_udp_bind_generic_node(puppetmaster_t)
+corenet_udp_bind_generic_port(puppetmaster_t)
+
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
+dev_search_sysfs(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
+
+files_read_usr_files(puppetmaster_t)
-files_read_etc_files(puppetmaster_t)
-files_search_var_lib(puppetmaster_t)
+selinux_validate_context(puppetmaster_t)
+
+auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
+miscfiles_read_generic_certs(puppetmaster_t)
+
+seutil_read_file_contexts(puppetmaster_t)
-sysnet_dns_name_resolve(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
+mta_send_mail(puppetmaster_t)
+
+optional_policy(`
+ tunable_policy(`puppetmaster_use_db',`
+ mysql_stream_connect(puppetmaster_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`puppetmaster_use_db',`
+ postgresql_stream_connect(puppetmaster_t)
+ ')
+')
+
optional_policy(`
hostname_exec(puppetmaster_t)
')
@@ -231,3 +331,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
+
+optional_policy(`
+ usermanage_access_check_groupadd(puppetmaster_t)
+ usermanage_access_check_passwd(puppetmaster_t)
+ usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te
index a841221..b62a01f 100644
--- a/policy/modules/services/pyicqt.te
+++ b/policy/modules/services/pyicqt.te
@@ -13,7 +13,7 @@ type pyicqt_conf_t;
files_config_file(pyicqt_conf_t)
type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
+files_spool_file(pyicqt_spool_t)
type pyicqt_var_run_t;
files_pid_file(pyicqt_var_run_t)
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index d4a7750..705196e 100644
--- a/policy/modules/services/pyzor.fc
+++ b/policy/modules/services/pyzor.fc
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 494f7e2..aa3d0b4 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`pyzor_role',`
gen_require(`
@@ -28,7 +29,7 @@ interface(`pyzor_role',`
# allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
- allow $2 pyzor_t:process signal;
+ allow $2 pyzor_t:process { ptrace signal_perms };
')
########################################
@@ -88,3 +89,47 @@ interface(`pyzor_exec',`
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pyzor environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the pyzor domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pyzor_admin',`
+ gen_require(`
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
+ ')
+
+ allow $1 pyzord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pyzord_t)
+
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pyzord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, pyzord_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
+')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index cd683f9..a272112 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -5,40 +5,62 @@ policy_module(pyzor, 2.1.0)
# Declarations
#
-type pyzor_t;
-type pyzor_exec_t;
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-application_domain(pyzor_t, pyzor_exec_t)
-ubac_constrained(pyzor_t)
-role system_r types pyzor_t;
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
-
-type pyzor_home_t;
-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
-userdom_user_home_content(pyzor_home_t)
-
-type pyzor_tmp_t;
-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-files_tmp_file(pyzor_tmp_t)
-ubac_constrained(pyzor_tmp_t)
-
-type pyzor_var_lib_t;
-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
-files_type(pyzor_var_lib_t)
-ubac_constrained(pyzor_var_lib_t)
-
-type pyzord_t;
-type pyzord_exec_t;
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_t;
+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_tmp_t, spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+',`
+ type pyzor_t;
+ type pyzor_exec_t;
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+ application_domain(pyzor_t, pyzor_exec_t)
+ ubac_constrained(pyzor_t)
+ role system_r types pyzor_t;
+
+ type pyzor_etc_t;
+ files_config_file(pyzor_etc_t)
+
+ type pyzor_home_t;
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+ userdom_user_home_content(pyzor_home_t)
+
+ type pyzor_tmp_t;
+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+ files_tmp_file(pyzor_tmp_t)
+ ubac_constrained(pyzor_tmp_t)
+
+ type pyzor_var_lib_t;
+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+ files_type(pyzor_var_lib_t)
+ ubac_constrained(pyzor_var_lib_t)
+
+ type pyzord_t;
+ type pyzord_exec_t;
+ init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+ type pyzord_log_t;
+ logging_log_file(pyzord_log_t)
+')
########################################
#
@@ -76,12 +98,16 @@ corenet_tcp_connect_http_port(pyzor_t)
dev_read_urand(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
files_read_etc_files(pyzor_t)
auth_use_nsswitch(pyzor_t)
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
@@ -111,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
can_exec(pyzord_t, pyzor_exec_t)
manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-allow pyzord_t pyzord_log_t:dir setattr;
-logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
+allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc
index 0055e54..f988f51 100644
--- a/policy/modules/services/qmail.fc
+++ b/policy/modules/services/qmail.fc
@@ -17,6 +17,7 @@
/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index a55bf44..c6dee66 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',`
type qmail_inject_t, qmail_inject_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
- corecmd_search_bin($1)
')
')
@@ -88,14 +87,13 @@ interface(`qmail_domtrans_queue',`
type qmail_queue_t, qmail_queue_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_bin($1)
',`
files_search_var($1)
- corecmd_search_bin($1)
')
')
@@ -149,3 +147,59 @@ interface(`qmail_smtpd_service_domain',`
domtrans_pattern(qmail_smtpd_t, $2, $1)
')
+
+########################################
+## <summary>
+## Create, read, write, and delete qmail
+## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_manage_spool_dirs',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete qmail
+## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_manage_spool_files',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+## <summary>
+## Read and write to qmail spool pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`qmail_rw_spool_pipes',`
+ gen_require(`
+ type qmail_spool_t;
+ ')
+
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 355b2a2..88e6f40 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_spool_t;
-files_type(qmail_spool_t)
+files_spool_file(qmail_spool_t)
type qmail_start_t;
type qmail_start_exec_t;
@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
# qmail-clean local policy
-# this component cleans up the queue directory
+# this component cleans up the queue directory
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
########################################
#
# qmail-inject local policy
-# this component preprocesses mail from stdin and invokes qmail-queue
+# this component preprocesses mail from stdin and invokes qmail-queue
#
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
@@ -88,11 +88,11 @@ qmail_read_config(qmail_inject_t)
########################################
#
# qmail-local local policy
-# this component delivers a mail message
+# this component delivers a mail message
#
-allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@@ -121,13 +121,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
+ uucp_domtrans(qmail_local_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(qmail_local_t)
')
########################################
#
# qmail-lspawn local policy
-# this component schedules local deliveries
+# this component schedules local deliveries
#
allow qmail_lspawn_t self:capability { setuid setgid };
@@ -150,15 +154,15 @@ files_search_tmp(qmail_lspawn_t)
########################################
#
# qmail-queue local policy
-# this component places a mail in a delivery queue, later to be processed by qmail-send
+# this component places a mail in a delivery queue, later to be processed by qmail-send
#
allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -175,7 +179,7 @@ optional_policy(`
########################################
#
# qmail-remote local policy
-# this component sends mail via SMTP
+# this component sends mail via SMTP
#
allow qmail_remote_t self:tcp_socket create_socket_perms;
@@ -202,7 +206,7 @@ sysnet_read_config(qmail_remote_t)
########################################
#
# qmail-rspawn local policy
-# this component scedules remote deliveries
+# this component scedules remote deliveries
#
allow qmail_rspawn_t self:process signal_perms;
@@ -217,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
########################################
#
# qmail-send local policy
-# this component delivers mail messages from the queue
+# this component delivers mail messages from the queue
#
allow qmail_send_t self:process signal_perms;
@@ -236,7 +240,7 @@ optional_policy(`
########################################
#
# qmail-smtpd local policy
-# this component receives mails via SMTP
+# this component receives mails via SMTP
#
allow qmail_smtpd_t self:process signal_perms;
@@ -265,7 +269,7 @@ optional_policy(`
########################################
#
# splogger local policy
-# this component creates entries in syslog
+# this component creates entries in syslog
#
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
@@ -279,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t)
########################################
#
# qmail-start local policy
-# this component starts up the mail delivery component
+# this component starts up the mail delivery component
#
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
@@ -303,7 +307,7 @@ optional_policy(`
########################################
#
# tcp-env local policy
-# this component sets up TCP-related environment variables
+# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/policy/modules/services/qpid.fc b/policy/modules/services/qpid.fc
index 4f94229..f3b89e4 100644
--- a/policy/modules/services/qpid.fc
+++ b/policy/modules/services/qpid.fc
@@ -1,6 +1,7 @@
-/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
-/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
index 5a9630c..c403abc 100644
--- a/policy/modules/services/qpid.if
+++ b/policy/modules/services/qpid.if
@@ -1,4 +1,4 @@
-## <summary>Apache QPID AMQP messaging server.</summary>
+## <summary>policy for qpidd</summary>
########################################
## <summary>
@@ -18,9 +18,9 @@ interface(`qpidd_domtrans',`
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
-#####################################
+########################################
## <summary>
-## Allow read and write access to qpidd semaphores.
+## Execute qpidd server in the qpidd domain.
## </summary>
## <param name="domain">
## <summary>
@@ -28,17 +28,17 @@ interface(`qpidd_domtrans',`
## </summary>
## </param>
#
-interface(`qpidd_rw_semaphores',`
+interface(`qpidd_initrc_domtrans',`
gen_require(`
- type qpidd_t;
+ type qpidd_initrc_exec_t;
')
- allow $1 qpidd_t:sem rw_sem_perms;
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
')
########################################
## <summary>
-## Read and write to qpidd shared memory.
+## Read qpidd PID files.
## </summary>
## <param name="domain">
## <summary>
@@ -46,17 +46,18 @@ interface(`qpidd_rw_semaphores',`
## </summary>
## </param>
#
-interface(`qpidd_rw_shm',`
+interface(`qpidd_read_pid_files',`
gen_require(`
- type qpidd_t;
+ type qpidd_var_run_t;
')
- allow $1 qpidd_t:shm rw_shm_perms;
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
')
########################################
## <summary>
-## Execute qpidd server in the qpidd domain.
+## Manage qpidd var_run files.
## </summary>
## <param name="domain">
## <summary>
@@ -64,17 +65,20 @@ interface(`qpidd_rw_shm',`
## </summary>
## </param>
#
-interface(`qpidd_initrc_domtrans',`
+interface(`qpidd_manage_var_run',`
gen_require(`
- type qpidd_initrc_exec_t;
+ type qpidd_var_run_t;
')
- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
')
########################################
## <summary>
-## Read qpidd PID files.
+## Search qpidd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -82,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
## </summary>
## </param>
#
-interface(`qpidd_read_pid_files',`
+interface(`qpidd_search_lib',`
gen_require(`
- type qpidd_var_run_t;
+ type qpidd_var_lib_t;
')
- files_search_pids($1)
- allow $1 qpidd_var_run_t:file read_file_perms;
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Search qpidd lib directories.
+## Read qpidd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -101,18 +105,19 @@ interface(`qpidd_read_pid_files',`
## </summary>
## </param>
#
-interface(`qpidd_search_lib',`
+interface(`qpidd_read_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
- allow $1 qpidd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
## <summary>
-## Read qpidd lib files.
+## Create, read, write, and delete
+## qpidd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -120,19 +125,18 @@ interface(`qpidd_search_lib',`
## </summary>
## </param>
#
-interface(`qpidd_read_lib_files',`
+interface(`qpidd_manage_lib_files',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## qpidd lib files.
+## Manage qpidd var_lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -140,13 +144,15 @@ interface(`qpidd_read_lib_files',`
## </summary>
## </param>
#
-interface(`qpidd_manage_lib_files',`
+interface(`qpidd_manage_var_lib',`
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
@@ -180,7 +186,43 @@ interface(`qpidd_admin',`
role_transition $2 qpidd_initrc_exec_t system_r;
allow $2 system_r;
- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_manage_var_run($1)
+
+ qpidd_manage_var_lib($1)
+')
- admin_pattern($1, qpidd_var_run_t)
+#####################################
+## <summary>
+## Allow read and write access to qpidd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
index cb7ecb5..3df1532 100644
--- a/policy/modules/services/qpid.te
+++ b/policy/modules/services/qpid.te
@@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
type qpidd_initrc_exec_t;
init_script_file(qpidd_initrc_exec_t)
-type qpidd_var_lib_t;
-files_type(qpidd_var_lib_t)
-
type qpidd_var_run_t;
files_pid_file(qpidd_var_run_t)
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
########################################
#
# qpidd local policy
@@ -30,27 +30,30 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
kernel_read_system_state(qpidd_t)
corenet_all_recvfrom_unlabeled(qpidd_t)
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
corenet_tcp_sendrecv_generic_node(qpidd_t)
corenet_tcp_sendrecv_all_ports(qpidd_t)
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
+dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
files_read_etc_files(qpidd_t)
+files_read_usr_files(qpidd_t)
logging_send_syslog_msg(qpidd_t)
@@ -61,3 +64,8 @@ sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
corosync_stream_connect(qpidd_t)
')
+
+optional_policy(`
+ matahari_manage_lib_files(qpidd_t)
+ matahari_manage_pid_files(qpidd_t)
+')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index b1ed1bf..124971d 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+files_dontaudit_list_tmp(radiusd_t)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
@@ -77,6 +78,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
+corenet_tcp_connect_postgresql_port(radiusd_t)
corenet_tcp_connect_mysqld_port(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index be05bff..2bd662a 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
@@ -19,8 +19,8 @@
#
interface(`radvd_admin',`
gen_require(`
- type radvd_t, radvd_etc_t;
- type radvd_var_run_t, radvd_initrc_exec_t;
+ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
+ type radvd_var_run_t;
')
allow $1 radvd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index 1efba0c..71d657c 100644
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f04a595..3203212 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
+
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
@@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
- allow $1_t razor_etc_t:lnk_file { getattr read };
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
manage_files_pattern($1_t, razor_log_t, razor_log_t)
@@ -117,6 +118,7 @@ template(`razor_common_domain_template',`
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`razor_role',`
gen_require(`
@@ -130,7 +132,7 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
+ allow $2 razor_t:process { ptrace signal_perms };
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
@@ -157,3 +159,43 @@ interface(`razor_domtrans',`
domtrans_pattern($1, razor_exec_t, razor_t)
')
+
+########################################
+## <summary>
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`razor_manage_user_home_files',`
+ gen_require(`
+ type razor_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+## read razor lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`razor_read_lib_files',`
+ gen_require(`
+ type razor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 852840b..cc1775e 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -5,118 +5,135 @@ policy_module(razor, 2.2.0)
# Declarations
#
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_home_t, spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
+
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
+
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ userdom_user_home_content(razor_home_t)
+
+ type razor_log_t;
+ logging_log_file(razor_log_t)
+
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
+
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
+
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
+
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
+
+ ########################################
+ #
+ # System razor local policy
+ #
+
+ # this version of razor is invoked typically
+ # via the system spam filter
+
+ allow system_razor_t self:tcp_socket create_socket_perms;
+
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
+
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+ corenet_all_recvfrom_unlabeled(system_razor_t)
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
+
+ auth_use_nsswitch(system_razor_t)
+
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
+
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
+
+ ########################################
+ #
+ # User razor local policy
+ #
+
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
+
+ logging_send_syslog_msg(razor_t)
+
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_inherited_user_terminals(razor_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+ ')
-type razor_etc_t;
-files_config_file(razor_etc_t)
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
+ ')
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
-
-type razor_log_t;
-logging_log_file(razor_log_t)
-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-files_tmp_file(razor_tmp_t)
-ubac_constrained(razor_tmp_t)
-
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
-# these are here due to ordering issues:
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-ubac_constrained(razor_t)
-
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
-# System razor local policy
-#
-
-# this version of razor is invoked typically
-# via the system spam filter
-
-allow system_razor_t self:tcp_socket create_socket_perms;
-
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-files_search_etc(system_razor_t)
-
-allow system_razor_t razor_log_t:file manage_file_perms;
-logging_log_filetrans(system_razor_t, razor_log_t, file)
-
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-
-corenet_all_recvfrom_unlabeled(system_razor_t)
-corenet_all_recvfrom_netlabel(system_razor_t)
-corenet_tcp_sendrecv_generic_if(system_razor_t)
-corenet_raw_sendrecv_generic_if(system_razor_t)
-corenet_tcp_sendrecv_generic_node(system_razor_t)
-corenet_raw_sendrecv_generic_node(system_razor_t)
-corenet_tcp_sendrecv_razor_port(system_razor_t)
-corenet_tcp_connect_razor_port(system_razor_t)
-corenet_sendrecv_razor_client_packets(system_razor_t)
-
-sysnet_read_config(system_razor_t)
-
-# cjp: this shouldn't be needed
-userdom_use_unpriv_users_fds(system_razor_t)
-
-optional_policy(`
- logging_send_syslog_msg(system_razor_t)
-')
-
-optional_policy(`
- nscd_socket_use(system_razor_t)
-')
-
-########################################
-#
-# User razor local policy
-#
-
-# Allow razor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-
-allow razor_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
-logging_send_syslog_msg(razor_t)
-
-userdom_search_user_home_dirs(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
-')
-
-optional_policy(`
- nscd_socket_use(razor_t)
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 0a76027..adc198d 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
auth_login_pgm_domain(remote_login_t)
auth_login_entry_type(remote_login_t)
-type remote_login_tmp_t;
-files_tmp_file(remote_login_tmp_t)
-
########################################
#
# Remote login remote policy
@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms;
allow remote_login_t self:msg { send receive };
allow remote_login_t self:key write;
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
-
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctls(remote_login_t)
@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t)
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
+term_use_all_ptys(remote_login_t)
+term_setattr_all_ptys(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t)
# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
-sysnet_dns_name_resolve(remote_login_t)
+auth_use_nsswitch(remote_login_t)
miscfiles_read_localization(remote_login_t)
@@ -87,9 +82,11 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
-# Search for mail spool file.
-mta_getattr_spool(remote_login_t)
+userdom_manage_user_tmp_dirs(remote_login_t)
+userdom_manage_user_tmp_files(remote_login_t)
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
@@ -106,15 +103,15 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(remote_login_t)
+ # Search for mail spool file.
+ mta_getattr_spool(remote_login_t)
')
optional_policy(`
- nscd_socket_use(remote_login_t)
+ telnet_use_ptys(remote_login_t)
')
optional_policy(`
- unconfined_domain(remote_login_t)
unconfined_shell_domtrans(remote_login_t)
')
diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
index d457736..eabdd78 100644
--- a/policy/modules/services/resmgr.if
+++ b/policy/modules/services/resmgr.if
@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
type resmgrd_var_run_t, resmgrd_t;
')
- allow $1 resmgrd_t:unix_stream_socket connectto;
- allow $1 resmgrd_var_run_t:sock_file { getattr write };
files_search_pids($1)
+ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
')
diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
index 3c97ef0..c025d59 100644
--- a/policy/modules/services/rgmanager.fc
+++ b/policy/modules/services/rgmanager.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+
/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
index 7dc38d1..9c2c963 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rgmanager.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rgmanager_domtrans',`
@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
+
+#######################################
+## <summary>
+## Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an rgmanager environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the rgmanager domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rgmanager_admin',`
+ gen_require(`
+ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
+ ')
+
+ allow $1 rgmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rgmanager_t)
+
+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rgmanager_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, rgmanager_tmp_t)
+
+ admin_pattern($1, rgmanager_tmpfs_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, rgmanager_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index 00fa514..bac3e66 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
#
## <desc>
-## <p>
-## Allow rgmanager domain to connect to the network using TCP.
-## </p>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
## </desc>
gen_tunable(rgmanager_can_network_connect, false)
type rgmanager_t;
type rgmanager_exec_t;
-domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+type rgmanager_initrc_exec_t;
+init_script_file(rgmanager_initrc_exec_t)
+
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
@@ -37,7 +39,7 @@ files_pid_file(rgmanager_var_run_t)
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
-dontaudit rgmanager_t self:process { ptrace };
+dontaudit rgmanager_t self:process ptrace;
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
@@ -55,11 +57,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
+kernel_kill(rgmanager_t)
kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
@@ -67,7 +72,6 @@ kernel_search_network_state(rgmanager_t)
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
-consoletype_exec(rgmanager_t)
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
files_manage_isid_type_dirs(rgmanager_t)
fs_getattr_xattr_fs(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
+storage_raw_read_fixed_disk(rgmanager_t)
storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
-#term_use_ptmx(rgmanager_t)
# needed by resources scripts
-auth_read_all_files_except_shadow(rgmanager_t)
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
+init_domtrans_script(rgmanager_t)
+
logging_send_syslog_msg(rgmanager_t)
miscfiles_read_localization(rgmanager_t)
-mount_domtrans(rgmanager_t)
+userdom_kill_all_users(rgmanager_t)
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
@@ -118,6 +128,14 @@ optional_policy(`
')
optional_policy(`
+ consoletype_exec(rgmanager_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rgmanager_t)
+')
+
+optional_policy(`
fstools_domtrans(rgmanager_t)
')
@@ -140,6 +158,16 @@ optional_policy(`
')
optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
+ ldap_systemctl(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mount_domtrans(rgmanager_t)
+')
+
+optional_policy(`
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
@@ -165,6 +193,8 @@ optional_policy(`
optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
+ rpc_systemctl_nfsd(rgmanager_t)
+ rpc_systemctl_rpcd(rgmanager_t)
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index c2ba53b..1f935bf 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
@@ -1,20 +1,25 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/.*\.*log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index de37806..a21e737 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
#
template(`rhcs_domain_template',`
gen_require(`
- attribute cluster_domain;
+ attribute cluster_domain, cluster_tmpfs, cluster_pid;
')
##############################
@@ -25,13 +25,13 @@ template(`rhcs_domain_template',`
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
- type $1_tmpfs_t;
+ type $1_tmpfs_t, cluster_tmpfs;
files_tmpfs_file($1_tmpfs_t)
type $1_var_log_t;
logging_log_file($1_var_log_t)
- type $1_var_run_t;
+ type $1_var_run_t, cluster_pid;
files_pid_file($1_var_run_t)
##############################
@@ -51,7 +51,6 @@ template(`rhcs_domain_template',`
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
-
')
######################################
@@ -59,9 +58,9 @@ template(`rhcs_domain_template',`
## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
@@ -133,6 +132,24 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
+#####################################
+## <summary>
+## Allow a domain to getattr on fenced executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_getattr_fenced',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ allow $1 fenced_exec_t:file getattr;
+')
+
######################################
## <summary>
## Allow read and write access to fenced semaphores.
@@ -169,9 +186,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
- allow $1 fenced_t:unix_stream_socket connectto;
- allow $1 fenced_var_run_t:sock_file { getattr write };
files_search_pids($1)
+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
#####################################
@@ -335,6 +351,65 @@ interface(`rhcs_rw_groupd_shm',`
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_shm',`
+ gen_require(`
+ attribute cluster_domain, cluster_tmpfs;
+ ')
+
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
+####################################
+## <summary>
+## Read and write access to cluster domains semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_semaphores',`
+ gen_require(`
+ attribute cluster_domain;
+ ')
+
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
+####################################
+## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_cluster',`
+ gen_require(`
+ attribute cluster_domain, cluster_pid;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+')
+
######################################
## <summary>
## Execute a domain transition to run qdiskd.
@@ -353,3 +428,80 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
+
+########################################
+## <summary>
+## Allow domain to read qdiskd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+ gen_require(`
+ type qdiskd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Allow domain to read cluster lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
+
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
+
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_relabel_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 93c896a..8c29c39 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
#
## <desc>
-## <p>
-## Allow fenced domain to connect to the network using TCP.
-## </p>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
## </desc>
gen_tunable(fenced_can_network_connect, false)
+## <desc>
+## <p>
+## Allow fenced domain to execute ssh.
+## </p>
+## </desc>
+gen_tunable(fenced_can_ssh, false)
+
attribute cluster_domain;
+attribute cluster_tmpfs;
+attribute cluster_pid;
rhcs_domain_template(dlm_controld)
@@ -24,6 +33,8 @@ files_lock_file(fenced_lock_t)
type fenced_tmp_t;
files_tmp_file(fenced_tmp_t)
+rhcs_domain_template(foghorn)
+
rhcs_domain_template(gfs_controld)
rhcs_domain_template(groupd)
@@ -33,6 +44,10 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
+# type for cluster lib files
+type cluster_var_lib_t;
+files_type(cluster_var_lib_t)
+
#####################################
#
# dlm_controld local policy
@@ -46,6 +61,7 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(dlm_controld_t)
+kernel_rw_net_sysctls(dlm_controld_t)
dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)
@@ -55,20 +71,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
-optional_policy(`
- ccs_stream_connect(dlm_controld_t)
-')
-
#######################################
#
# fenced local policy
#
allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process getsched;
+allow fenced_t self:process { getsched signal_perms };
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
+allow fenced_t self:unix_stream_socket connectto;
can_exec(fenced_t, fenced_exec_t)
@@ -82,8 +95,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+kernel_read_system_state(fenced_t)
+
corecmd_exec_bin(fenced_t)
+corecmd_exec_shell(fenced_t)
+corenet_udp_bind_ionixnetmon_port(fenced_t)
+corenet_tcp_bind_zented_port(fenced_t)
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
@@ -105,8 +123,24 @@ tunable_policy(`fenced_can_network_connect',`
')
optional_policy(`
+ tunable_policy(`fenced_can_ssh',`
+
+ allow fenced_t self:capability { setuid setgid };
+
+ corenet_tcp_connect_ssh_port(fenced_t)
+
+ ssh_exec(fenced_t)
+ ssh_read_user_home_files(fenced_t)
+ ')
+')
+
+# needed by fence_scsi
+optional_policy(`
+ corosync_exec(fenced_t)
+')
+
+optional_policy(`
ccs_read_config(fenced_t)
- ccs_stream_connect(fenced_t)
')
optional_policy(`
@@ -114,13 +148,37 @@ optional_policy(`
lvm_read_config(fenced_t)
')
+#######################################
+#
+# foghorn local policy
+#
+
+allow foghorn_t self:process { signal };
+allow foghorn_t self:tcp_socket create_stream_socket_perms;
+allow foghorn_t self:udp_socket create_socket_perms;
+
+corenet_tcp_connect_agentx_port(foghorn_t)
+
+dev_read_urand(foghorn_t)
+
+files_read_etc_files(foghorn_t)
+files_read_usr_files(foghorn_t)
+
+optional_policy(`
+ dbus_connect_system_bus(foghorn_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(foghorn_t)
+ snmp_stream_connect(foghorn_t)
+')
+
######################################
#
# gfs_controld local policy
#
allow gfs_controld_t self:capability { net_admin sys_resource };
-
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -139,10 +197,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
- ccs_stream_connect(gfs_controld_t)
-')
-
-optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
@@ -154,9 +208,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
-
allow groupd_t self:shm create_shm_perms;
+domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
@@ -168,8 +223,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
-allow qdiskd_t self:capability ipc_lock;
-
+allow qdiskd_t self:capability { ipc_lock sys_boot };
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
+fs_list_hugetlbfs(qdiskd_t)
+
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
@@ -207,10 +263,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
- ccs_stream_connect(qdiskd_t)
-')
-
-optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
@@ -223,18 +275,28 @@ optional_policy(`
# rhcs domains common policy
#
-allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:capability sys_nice;
allow cluster_domain self:process setsched;
-
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
+manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+
logging_send_syslog_msg(cluster_domain)
miscfiles_read_localization(cluster_domain)
optional_policy(`
+ ccs_stream_connect(cluster_domain)
+')
+
+optional_policy(`
corosync_stream_connect(cluster_domain)
')
+
+optional_policy(`
+ dbus_system_bus_client(cluster_domain)
+')
diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc
new file mode 100644
index 0000000..4e7605a
--- /dev/null
+++ b/policy/modules/services/rhev.fc
@@ -0,0 +1,3 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if
new file mode 100644
index 0000000..bf11e25
--- /dev/null
+++ b/policy/modules/services/rhev.if
@@ -0,0 +1,76 @@
+## <summary>rhev polic module contains policies for rhev apps</summary>
+
+#####################################
+## <summary>
+## Execute rhev-agentd in the rhev_agentd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhev_domtrans_agentd',`
+ gen_require(`
+ type rhev_agentd_t, rhev_agentd_exec_t;
+ ')
+
+ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
+')
+
+####################################
+## <summary>
+## Read rhev-agentd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhev_read_pid_files_agentd',`
+ gen_require(`
+ type rhev_agentd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+')
+
+#####################################
+## <summary>
+## Connect to rhev_agentd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhev_stream_connect_agentd',`
+ gen_require(`
+ type rhev_agentd_var_run_t, rhev_agentd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
+')
+
+######################################
+## <summary>
+## Send sigchld to rhev-agentd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`rhev_sigchld_agentd',`
+ gen_require(`
+ type rhev_agentd_t;
+ ')
+
+ allow $1 rhev_agentd_t:process sigchld;
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
index 0000000..23ba402
--- /dev/null
+++ b/policy/modules/services/rhev.te
@@ -0,0 +1,82 @@
+policy_module(rhev,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhev_agentd_t;
+type rhev_agentd_exec_t;
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
+
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
+# WHY IS USED /TMP DIRECTORY
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
+########################################
+#
+# rhev_agentd_t local policy
+#
+
+allow rhev_agentd_t self:capability sys_nice;
+allow rhev_agentd_t self:process setsched;
+
+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
+
+kernel_read_system_state(rhev_agentd_t)
+kernel_read_kernel_sysctls(rhev_agentd_t)
+
+corecmd_exec_bin(rhev_agentd_t)
+corecmd_exec_shell(rhev_agentd_t)
+
+dev_read_urand(rhev_agentd_t)
+
+term_use_virtio_console(rhev_agentd_t)
+
+files_read_usr_files(rhev_agentd_t)
+
+auth_use_nsswitch(rhev_agentd_t)
+
+init_read_utmp(rhev_agentd_t)
+
+libs_exec_ldconfig(rhev_agentd_t)
+logging_send_syslog_msg(rhev_agentd_t)
+
+miscfiles_read_localization(rhev_agentd_t)
+
+optional_policy(`
+ rpm_read_db(rhev_agentd_t)
+ rpm_dontaudit_manage_db(rhev_agentd_t)
+')
+
+optional_policy(`
+ ssh_signull(rhev_agentd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rhev_agentd_t)
+ dbus_connect_system_bus(rhev_agentd_t)
+')
+
+optional_policy(`
+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(rhev_agentd_t)
+')
+
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index 96efae7..793a29f 100644
--- a/policy/modules/services/rhgb.if
+++ b/policy/modules/services/rhgb.if
@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
+ fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..4d10897 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rhgb_t, rhgb_devpts_t)
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc
new file mode 100644
index 0000000..5094d93
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.fc
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
+
+/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
+/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
+
+/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
+
+/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
+
+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
new file mode 100644
index 0000000..811c52e
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.if
@@ -0,0 +1,305 @@
+
+## <summary>Subscription Management Certificate Daemon policy</summary>
+
+########################################
+## <summary>
+## Transition to rhsmcertd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_domtrans',`
+ gen_require(`
+ type rhsmcertd_t, rhsmcertd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
+')
+
+
+########################################
+## <summary>
+## Execute rhsmcertd server in the rhsmcertd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_initrc_domtrans',`
+ gen_require(`
+ type rhsmcertd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Read rhsmcertd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhsmcertd_read_log',`
+ gen_require(`
+ type rhsmcertd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+## Append to rhsmcertd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_append_log',`
+ gen_require(`
+ type rhsmcertd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+## Manage rhsmcertd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_log',`
+ gen_require(`
+ type rhsmcertd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+ manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+ manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+## Search rhsmcertd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_search_lib',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read rhsmcertd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_read_lib_files',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rhsmcertd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_lib_files',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rhsmcertd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_lib_dirs',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read rhsmcertd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_read_pid_files',`
+ gen_require(`
+ type rhsmcertd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rhsmcertd_var_run_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+## Connect to rhsmcertd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_stream_connect',`
+ gen_require(`
+ type rhsmcertd_t, rhsmcertd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t)
+')
+
+#######################################
+## <summary>
+## Send and receive messages from
+## rhsmcertd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_dbus_chat',`
+ gen_require(`
+ type rhsmcertd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rhsmcertd_t:dbus send_msg;
+ allow rhsmcertd_t $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+## Dontaudit Send and receive messages from
+## rhsmcertd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_dontaudit_dbus_chat',`
+ gen_require(`
+ type rhsmcertd_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rhsmcertd_t:dbus send_msg;
+ dontaudit rhsmcertd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rhsmcertd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhsmcertd_admin',`
+ gen_require(`
+ type rhsmcertd_t;
+ type rhsmcertd_initrc_exec_t;
+ type rhsmcertd_log_t;
+ type rhsmcertd_var_lib_t;
+ type rhsmcertd_var_run_t;
+ ')
+
+ allow $1 rhsmcertd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rhsmcertd_t)
+
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
+')
+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
index 0000000..4d1d0c7
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,61 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhsmcertd_t;
+type rhsmcertd_exec_t;
+init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
+
+type rhsmcertd_initrc_exec_t;
+init_script_file(rhsmcertd_initrc_exec_t)
+
+type rhsmcertd_log_t;
+logging_log_file(rhsmcertd_log_t)
+
+type rhsmcertd_lock_t;
+files_lock_file(rhsmcertd_lock_t)
+
+type rhsmcertd_var_lib_t;
+files_type(rhsmcertd_var_lib_t)
+
+type rhsmcertd_var_run_t;
+files_pid_file(rhsmcertd_var_run_t)
+
+########################################
+#
+# rhsmcertd local policy
+#
+
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+
+manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
+files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+
+kernel_read_system_state(rhsmcertd_t)
+
+corecmd_exec_bin(rhsmcertd_t)
+
+dev_read_urand(rhsmcertd_t)
+
+files_read_etc_files(rhsmcertd_t)
+files_read_usr_files(rhsmcertd_t)
+
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
+
+optional_policy(`
+ sysnet_dns_name_resolve(rhsmcertd_t)
+')
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
+++ b/policy/modules/services/ricci.fc
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+
/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
index f7826f9..679d185 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run ricci.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans',`
@@ -18,14 +18,32 @@ interface(`ricci_domtrans',`
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
+#######################################
+## <summary>
+## Execute ricci server in the ricci domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_initrc_domtrans',`
+ gen_require(`
+ type ricci_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
########################################
## <summary>
## Execute a domain transition to run ricci_modcluster.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modcluster',`
@@ -71,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
type ricci_modcluster_t;
')
- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',`
')
files_search_pids($1)
- allow $1 ricci_modcluster_var_run_t:sock_file write;
- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
')
########################################
## <summary>
-## Execute a domain transition to run ricci_modlog.
+## Read and write to ricci_modcluserd temporary file system.
## </summary>
## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_rw_modclusterd_tmpfs_files',`
+ gen_require(`
+ type ricci_modclusterd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
## <summary>
-## Domain allowed to transition.
+## Execute a domain transition to run ricci_modlog.
## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`ricci_domtrans_modlog',`
@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
## Execute a domain transition to run ricci_modrpm.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modrpm',`
@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
## Execute a domain transition to run ricci_modservice.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modservice',`
@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
## Execute a domain transition to run ricci_modstorage.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`ricci_domtrans_modstorage',`
@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',`
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
+
+####################################
+## <summary>
+## Allow the specified domain to manage ricci's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_manage_lib_files',`
+ gen_require(`
+ type ricci_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ricci environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ricci_admin',`
+ gen_require(`
+ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+ ')
+
+ allow $1 ricci_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ricci_t)
+
+ ricci_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ricci_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, ricci_tmp_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, ricci_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ricci_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 33e72e8..28d2775 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
type ricci_t;
type ricci_exec_t;
-domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
+type ricci_initrc_exec_t;
+init_script_file(ricci_initrc_exec_t)
+
type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)
@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t)
type ricci_modclusterd_t;
type ricci_modclusterd_exec_t;
-domain_type(ricci_modclusterd_t)
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+type ricci_modclusterd_tmpfs_t;
+files_tmpfs_file(ricci_modclusterd_tmpfs_t)
+
type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-allow ricci_t ricci_var_log_t:dir setattr;
+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
@@ -105,6 +109,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_t)
+kernel_read_system_state(ricci_t)
corecmd_exec_bin(ricci_t)
@@ -170,6 +175,10 @@ optional_policy(`
')
optional_policy(`
+ shutdown_domtrans(ricci_t)
+')
+
+optional_policy(`
unconfined_use_fds(ricci_t)
')
@@ -193,7 +202,8 @@ corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
-corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
+corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
domain_read_all_domains_state(ricci_modcluster_t)
@@ -202,6 +212,8 @@ files_read_etc_runtime_files(ricci_modcluster_t)
files_read_etc_files(ricci_modcluster_t)
files_search_usr(ricci_modcluster_t)
+auth_use_nsswitch(ricci_modcluster_t)
+
init_exec(ricci_modcluster_t)
init_domtrans_script(ricci_modcluster_t)
@@ -209,13 +221,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
miscfiles_read_localization(ricci_modcluster_t)
-modutils_domtrans_insmod(ricci_modcluster_t)
-
-mount_domtrans(ricci_modcluster_t)
-
-consoletype_exec(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
+optional_policy(`
+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
+')
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
@@ -233,7 +241,15 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(ricci_modcluster_t)
+ modutils_domtrans_insmod(ricci_modcluster_t)
+')
+
+optional_policy(`
+ mount_domtrans(ricci_modcluster_t)
+')
+
+optional_policy(`
+ consoletype_exec(ricci_modcluster_t)
')
optional_policy(`
@@ -241,8 +257,7 @@ optional_policy(`
')
optional_policy(`
- # XXX This has got to go.
- unconfined_domain(ricci_modcluster_t)
+ rgmanager_stream_connect(ricci_modclusterd_t)
')
########################################
@@ -261,6 +276,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
+manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
+fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
+
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
@@ -272,6 +291,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
+kernel_request_load_module(ricci_modclusterd_t)
corecmd_exec_bin(ricci_modclusterd_t)
@@ -363,6 +383,8 @@ corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
files_read_etc_files(ricci_modrpm_t)
+logging_send_syslog_msg(ricci_modrpm_t)
+
miscfiles_read_localization(ricci_modrpm_t)
optional_policy(`
@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
-consoletype_exec(ricci_modservice_t)
-
init_domtrans_script(ricci_modservice_t)
miscfiles_read_localization(ricci_modservice_t)
@@ -405,6 +425,10 @@ optional_policy(`
')
optional_policy(`
+ consoletype_exec(ricci_modservice_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(ricci_modservice_t)
')
@@ -444,22 +468,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
+files_create_default_dir(ricci_modstorage_t)
+files_root_filetrans_default(ricci_modstorage_t, dir)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-fstools_domtrans(ricci_modstorage_t)
+auth_use_nsswitch(ricci_modstorage_t)
logging_send_syslog_msg(ricci_modstorage_t)
miscfiles_read_localization(ricci_modstorage_t)
-modutils_read_module_deps(ricci_modstorage_t)
-
-consoletype_exec(ricci_modstorage_t)
-
-mount_domtrans(ricci_modstorage_t)
-
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
@@ -471,12 +495,24 @@ optional_policy(`
')
optional_policy(`
+ consoletype_exec(ricci_modstorage_t)
+')
+
+optional_policy(`
+ fstools_domtrans(ricci_modstorage_t)
+')
+
+optional_policy(`
lvm_domtrans(ricci_modstorage_t)
lvm_manage_config(ricci_modstorage_t)
')
optional_policy(`
- nscd_socket_use(ricci_modstorage_t)
+ modutils_read_module_deps(ricci_modstorage_t)
+')
+
+optional_policy(`
+ mount_domtrans(ricci_modstorage_t)
')
optional_policy(`
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
index 2785337..d7f6b82 100644
--- a/policy/modules/services/rlogin.fc
+++ b/policy/modules/services/rlogin.fc
@@ -1,7 +1,10 @@
HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
index 63e78c6..fdd8228 100644
--- a/policy/modules/services/rlogin.if
+++ b/policy/modules/services/rlogin.if
@@ -21,21 +21,15 @@ interface(`rlogin_domtrans',`
########################################
## <summary>
-## read rlogin homedir content (.config)
+## read rlogin homedir content (.rlogin)
## </summary>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
-## The type of the user domain.
+## Domain allowed access.
## </summary>
## </param>
#
-template(`rlogin_read_home_content',`
+interface(`rlogin_read_home_content',`
gen_require(`
type rlogind_home_t;
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 779fa44..4bcaacc 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rlogind_t self:capability { setuid setgid };
-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
# for /usr/lib/telnetlogin
@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t)
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
@@ -69,8 +67,10 @@ fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
+auth_signal_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
-
-remotelogin_domtrans(rlogind_t)
-remotelogin_signal(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
+userdom_use_user_terminals(rlogind_t)
rlogin_read_home_content(rlogind_t)
@@ -112,5 +113,10 @@ optional_policy(`
')
optional_policy(`
+ remotelogin_domtrans(rlogind_t)
+ remotelogin_signal(rlogind_t)
+')
+
+optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 5c70c0c..f9f0f54 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -6,6 +6,9 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
#
# /sbin
#
@@ -29,3 +32,5 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb..41b106f 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
## </summary>
## </param>
#
-template(`rpc_domain_template', `
+template(`rpc_domain_template',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
########################################
#
# Declarations
@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
- dontaudit $1 exports_t:file getattr;
+ dontaudit $1 exports_t:file getattr_file_perms;
')
########################################
@@ -188,7 +192,7 @@ interface(`rpc_write_exports',`
type exports_t;
')
- allow $1 exports_t:file write;
+ allow $1 exports_t:file write_file_perms;
')
########################################
@@ -229,6 +233,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
## <summary>
+## Execute nfsd server in the nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_systemctl_nfsd',`
+ gen_require(`
+ type nfsd_unit_file_t;
+ type nfsd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, nfsd_t)
+')
+
+########################################
+## <summary>
## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
@@ -246,6 +274,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
+########################################
+## <summary>
+## Execute rpcd in the rcpd domain, and
+## allow the specified role the rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_run_rpcd',`
+ gen_require(`
+ type rpcd_t;
+ ')
+
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
+')
+
#######################################
## <summary>
## Execute domain in rpcd domain.
@@ -266,6 +320,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
########################################
## <summary>
+## Execute rpcd server in the rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_systemctl_rpcd',`
+ gen_require(`
+ type rpcd_unit_file_t;
+ type rpcd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
+')
+
+########################################
+## <summary>
## Read NFS exported content.
## </summary>
## <param name="domain">
@@ -282,7 +360,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
')
########################################
@@ -375,7 +453,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
')
########################################
@@ -414,4 +492,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index b1468ed..372f918 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
#
## <desc>
-## <p>
-## Allow gssd to read temp directory. For access to kerberos tgt.
-## </p>
+## <p>
+## Allow gssd to read temp directory. For access to kerberos tgt.
+## </p>
## </desc>
gen_tunable(allow_gssd_read_tmp, true)
## <desc>
-## <p>
-## Allow nfs servers to modify public files
-## used for public file transfer services. Files/Directories must be
-## labeled public_content_rw_t.
-## </p>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write, false)
@@ -39,11 +39,17 @@ rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_file_t;
+systemd_unit_file(rpcd_unit_file_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
+
type nfsd_rw_t;
files_type(nfsd_rw_t)
@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
-allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
-files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
+files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
@@ -87,6 +94,7 @@ fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
fs_get_all_fs_quotas(rpcd_t)
+fs_set_xattr_fs_quotas(rpcd_t)
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -97,15 +105,26 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
+
optional_policy(`
automount_signal(rpcd_t)
automount_dontaudit_write_pipes(rpcd_t)
')
optional_policy(`
+ domain_unconfined_signal(rpcd_t)
+')
+
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
+optional_policy(`
+ rgmanager_manage_tmp_files(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -120,9 +139,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_setsched(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
+corenet_tcp_bind_nfs_port(nfsd_t)
+corenet_udp_bind_nfs_port(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
@@ -148,6 +172,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
@@ -158,7 +184,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_shadow(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -170,8 +195,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- auth_read_all_dirs_except_shadow(nfsd_t)
- auth_read_all_files_except_shadow(nfsd_t)
+ files_read_non_security_files(nfsd_t)
')
########################################
@@ -181,7 +205,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_file_perms;
+allow gssd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
@@ -199,6 +223,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
+fs_search_nfsd_fs(gssd_t)
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
@@ -210,14 +235,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
-mount_signal(gssd_t)
-
userdom_signal_all_users(gssd_t)
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
+ userdom_write_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
')
optional_policy(`
@@ -229,6 +254,10 @@ optional_policy(`
')
optional_policy(`
+ mount_signal(gssd_t)
+')
+
+optional_policy(`
pcscd_read_pub_files(gssd_t)
')
diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
index f5c47d6..5a965e9 100644
--- a/policy/modules/services/rpcbind.fc
+++ b/policy/modules/services/rpcbind.fc
@@ -2,6 +2,7 @@
/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index a96249c..3942dfc 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rpcbind.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rpcbind_domtrans',`
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
')
files_search_pids($1)
- allow $1 rpcbind_var_run_t:sock_file write;
- allow $1 rpcbind_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
')
########################################
@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',`
########################################
## <summary>
+## Send a null signal to rpcbind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_signull',`
+ gen_require(`
+ type rpcbind_t;
+ ')
+
+ allow $1 rpcbind_t:process signull;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an rpcbind environment
## </summary>
@@ -141,8 +158,14 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, rpcbind_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index d6d76e1..9cb5e25 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
+corecmd_exec_shell(rpcbind_t)
+
corenet_all_recvfrom_unlabeled(rpcbind_t)
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
@@ -71,3 +73,7 @@ sysnet_dns_name_resolve(rpcbind_t)
ifdef(`hide_broken_symptoms',`
dontaudit rpcbind_t self:udp_socket listen;
')
+
+optional_policy(`
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index 0b405d1..49a4283 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -66,6 +66,7 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 3386f29..b28cae5 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -109,9 +109,9 @@ interface(`rsync_exec',`
## Read rsync config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`rsync_read_config',`
@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
- allow $1 rsync_etc_t:file read_file_perms;
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
')
@@ -128,9 +128,9 @@ interface(`rsync_read_config',`
## Write to rsync config files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`rsync_write_config',`
@@ -138,6 +138,49 @@ interface(`rsync_write_config',`
type rsync_etc_t;
')
- allow $1 rsync_etc_t:file read_file_perms;
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_manage_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
')
+
+########################################
+## <summary>
+## Create objects in etc directories
+## with rsync etc type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+#
+interface(`rsync_filetrans_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 39015ae..967bebd 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -7,6 +7,13 @@ policy_module(rsync, 1.10.0)
## <desc>
## <p>
+## Allow rsync to run as a client
+## </p>
+## </desc>
+gen_tunable(rsync_client, false)
+
+## <desc>
+## <p>
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
@@ -23,7 +30,6 @@ gen_tunable(allow_rsync_anon_write, false)
type rsync_t;
type rsync_exec_t;
-init_daemon_domain(rsync_t, rsync_exec_t)
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
@@ -59,7 +65,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
@@ -122,12 +128,26 @@ optional_policy(`
')
tunable_policy(`rsync_export_all_ro',`
+ files_getattr_all_pipes(rsync_t)
fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
- auth_read_all_dirs_except_shadow(rsync_t)
- auth_read_all_files_except_shadow(rsync_t)
- auth_read_all_symlinks_except_shadow(rsync_t)
+ files_read_non_security_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
+
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ corenet_tcp_connect_ssh_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+')
+
+optional_policy(`
+ tunable_policy(`rsync_client',`
+ ssh_exec(rsync_t)
+ ')
+')
+
auth_can_read_shadow_passwords(rsync_t)
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
index 46dad1f..6586da0 100644
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rtkit_daemon.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rtkit_daemon_domtrans',`
@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
## <summary>
+## Do not audit send and receive messages from
+## rtkit_daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
+ gen_require(`
+ type rtkit_daemon_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:process { getsched setsched };
+')
+
+########################################
+## <summary>
## Allow rtkit to control scheduling for your process
## </summary>
## <param name="domain">
@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',`
type rtkit_daemon_t;
')
+ kernel_search_proc($1)
ps_process_pattern(rtkit_daemon_t, $1)
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)
diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
index 6f8e268..7d64285 100644
--- a/policy/modules/services/rtkit.te
+++ b/policy/modules/services/rtkit.te
@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0)
type rtkit_daemon_t;
type rtkit_daemon_exec_t;
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
########################################
#
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 71ea0ea..664e68e 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run rwho.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rwho_domtrans',`
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index a07b2f4..ee39810 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
files_type(rwho_log_t)
type rwho_spool_t;
-files_type(rwho_spool_t)
+files_spool_file(rwho_spool_t)
########################################
#
@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
+logging_send_syslog_msg(rwho_t)
+
miscfiles_read_localization(rwho_t)
sysnet_dns_name_resolve(rwho_t)
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 69a6074..596dbb3 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -11,6 +11,8 @@
/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+
#
# /usr
#
@@ -36,6 +38,8 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
@@ -51,3 +55,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 82cb169..87d1eec 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -60,6 +60,30 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
+## Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_systemctl',`
+ gen_require(`
+ type samba_unit_file_t;
+ type smbd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
+ allow $1 samba_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, smbd_t)
+')
+
+########################################
+## <summary>
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
@@ -79,6 +103,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
+## Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
@@ -103,6 +146,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
+#######################################
+## <summary>
+## The role for the samba module.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ role $1 types smbd_t;
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_unconfined_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
+')
+
########################################
## <summary>
## Execute smbmount in the smbmount domain.
@@ -327,7 +415,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
@@ -348,7 +435,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
@@ -388,7 +474,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
@@ -409,9 +494,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
- files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
@@ -419,15 +504,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`samba_domtrans_smbcontrol',`
gen_require(`
- type smbcontrol_t;
- type smbcontrol_exec_t;
+ type smbcontrol_t, smbcontrol_exec_t;
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@@ -564,6 +648,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
@@ -644,6 +729,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ role system_r;
+ ')
+
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an samba environment
## </summary>
@@ -661,21 +777,12 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
- type nmbd_t, nmbd_var_run_t;
- type smbd_t, smbd_tmp_t;
- type smbd_var_run_t;
- type smbd_spool_t;
-
- type samba_log_t, samba_var_t;
- type samba_etc_t, samba_share_t;
- type samba_secrets_t;
-
- type swat_var_run_t, swat_tmp_t;
-
- type winbind_var_run_t, winbind_tmp_t;
- type winbind_log_t;
-
- type samba_initrc_exec_t;
+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type smbd_t, smbd_tmp_t, samba_secrets_t;
+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
allow $1 smbd_t:process { ptrace signal_perms };
@@ -684,6 +791,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, samba_unconfined_script_t)
+
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
@@ -709,9 +819,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
- admin_pattern($1, smbd_spool_t)
- files_list_spool($1)
-
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
@@ -727,4 +834,7 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e30bb63..fed972d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
type samba_log_t;
logging_log_file(samba_log_t)
@@ -152,9 +155,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
-type winbind_tmp_t;
-files_tmp_file(winbind_tmp_t)
-
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -215,7 +215,7 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
-userdom_use_user_terminals(samba_net_t)
+userdom_use_inherited_user_terminals(samba_net_t)
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
@@ -224,13 +224,14 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
+ kerberos_etc_filetrans_keytab(samba_net_t)
')
########################################
#
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
-allow smbd_t samba_share_t:filesystem getattr;
+allow smbd_t samba_share_t:filesystem { getattr quotaget };
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-files_pid_filetrans(smbd_t, smbd_var_run_t, file)
+files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
allow smbd_t swat_t:process signal;
@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
+fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
+fs_get_all_fs_quotas(smbd_t)
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
+auth_write_login_records(smbd_t)
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs(smbd_t)
- userdom_manage_user_home_content_files(smbd_t)
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+ userdom_manage_user_home_content(smbd_t)
')
# Support Samba sharing of NFS mount points
@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
+optional_policy(`
+ ctdbd_stream_connect(smbd_t)
+ ctdbd_manage_lib_files(smbd_t)
+')
optional_policy(`
cups_read_rw_config(smbd_t)
@@ -445,26 +449,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
- userdom_home_filetrans_user_home_dir(smbd_t)
')
+userdom_home_filetrans_user_home_dir(smbd_t)
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
- auth_read_all_dirs_except_shadow(smbd_t)
- auth_read_all_files_except_shadow(smbd_t)
+ files_read_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_read_all_dirs_except_shadow(nmbd_t)
- auth_read_all_files_except_shadow(nmbd_t)
+ files_read_non_security_files(nmbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
- auth_manage_all_files_except_shadow(smbd_t)
+ files_manage_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_manage_all_files_except_shadow(nmbd_t)
- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+ files_manage_non_security_files(nmbd_t)
')
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+
########################################
#
# nmbd Local policy
@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-allow smbcontrol_t nmbd_var_run_t:file { read lock };
-
-allow smbcontrol_t smbd_t:process signal;
-
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
allow smbcontrol_t winbind_t:process { signal signull };
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
@@ -574,11 +578,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
+dev_read_urand(smbcontrol_t)
+
+term_use_console(smbcontrol_t)
+
files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
+userdom_use_inherited_user_terminals(smbcontrol_t)
+
+optional_policy(`
+ ctdbd_stream_connect(smbcontrol_t)
+')
########################################
#
@@ -644,19 +656,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
-mount_use_fds(smbmount_t)
-
locallogin_use_fds(smbmount_t)
logging_search_logs(smbmount_t)
-userdom_use_user_terminals(smbmount_t)
+userdom_use_inherited_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
optional_policy(`
cups_read_rw_config(smbmount_t)
')
+optional_policy(`
+ mount_use_fds(smbmount_t)
+')
+
########################################
#
# SWAT Local policy
@@ -677,7 +691,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file { lock unlink };
+allow swat_t nmbd_var_run_t:file read_file_perms;
allow swat_t smbd_port_t:tcp_socket name_bind;
@@ -692,12 +706,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+files_list_var_lib(swat_t)
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -710,6 +726,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
@@ -754,6 +771,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
+userdom_dontaudit_search_admin_dir(swat_t)
+
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -806,15 +825,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+userdom_manage_user_tmp_dirs(winbind_t)
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
+manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
+kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
@@ -833,6 +853,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -863,6 +884,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ ctdbd_stream_connect(winbind_t)
+ ctdbd_manage_lib_files(winbind_t)
+')
+
optional_policy(`
kerberos_use(winbind_t)
')
@@ -904,7 +931,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
-userdom_use_user_terminals(winbind_helper_t)
+userdom_use_inherited_user_terminals(winbind_helper_t)
optional_policy(`
apache_append_log(winbind_helper_t)
@@ -922,6 +949,18 @@ optional_policy(`
#
optional_policy(`
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
+
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
+
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -932,9 +971,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ')
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
index 150c85d..71e9315 100644
--- a/policy/modules/services/samhain.te
+++ b/policy/modules/services/samhain.te
@@ -55,7 +55,7 @@ domain_use_interactive_fds(samhain_t)
seutil_sigchld_newrole(samhain_t)
-userdom_use_user_terminals(samhain_t)
+userdom_use_inherited_user_terminals(samhain_t)
########################################
#
diff --git a/policy/modules/services/sanlock.fc b/policy/modules/services/sanlock.fc
new file mode 100644
index 0000000..630960e
--- /dev/null
+++ b/policy/modules/services/sanlock.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0)
+
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
new file mode 100644
index 0000000..486d53d
--- /dev/null
+++ b/policy/modules/services/sanlock.if
@@ -0,0 +1,110 @@
+
+## <summary>policy for sanlock</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run sanlock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_domtrans',`
+ gen_require(`
+ type sanlock_t, sanlock_exec_t;
+ ')
+
+ domtrans_pattern($1, sanlock_exec_t, sanlock_t)
+')
+
+
+########################################
+## <summary>
+## Execute sanlock server in the sanlock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sanlock_initrc_domtrans',`
+ gen_require(`
+ type sanlock_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sanlock_initrc_exec_t)
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete sanlock PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_manage_pid_files',`
+ gen_require(`
+ type sanlock_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to sanlock over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sanlock_stream_connect',`
+ gen_require(`
+ type sanlock_t, sanlock_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sanlock environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sanlock_admin',`
+ gen_require(`
+ type sanlock_t;
+ type sanlock_initrc_exec_t;
+ ')
+
+ allow $1 sanlock_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sanlock_t)
+
+ sanlock_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sanlock_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
index 0000000..0c1e385
--- /dev/null
+++ b/policy/modules/services/sanlock.te
@@ -0,0 +1,72 @@
+policy_module(sanlock,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sanlock_t;
+type sanlock_exec_t;
+init_daemon_domain(sanlock_t, sanlock_exec_t)
+
+type sanlock_var_run_t;
+files_pid_file(sanlock_var_run_t)
+
+type sanlock_log_t;
+logging_log_file(sanlock_log_t)
+
+type sanlock_initrc_exec_t;
+init_script_file(sanlock_initrc_exec_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# sanlock local policy
+#
+allow sanlock_t self:capability { kill sys_nice ipc_lock };
+allow sanlock_t self:process { setsched signull };
+
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+logging_log_filetrans(sanlock_t, sanlock_log_t, file)
+
+manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(sanlock_t)
+
+domain_use_interactive_fds(sanlock_t)
+
+files_read_etc_files(sanlock_t)
+
+storage_raw_rw_fixed_disk(sanlock_t)
+
+dev_read_urand(sanlock_t)
+
+logging_send_syslog_msg(sanlock_t)
+
+init_read_utmp(sanlock_t)
+init_dontaudit_write_utmp(sanlock_t)
+
+miscfiles_read_localization(sanlock_t)
+
+optional_policy(`
+ wdmd_stream_connect(sanlock_t)
+')
+
+optional_policy(`
+ virt_kill_svirt(sanlock_t)
+ virt_manage_lib_files(sanlock_t)
+ virt_signal_svirt(sanlock_t)
+')
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f1aea88..a5a75a8 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -38,11 +38,11 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+ type saslauthd_t, saslauthd_var_run_t;
type saslauthd_initrc_exec_t;
')
- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+ allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
@@ -50,9 +50,6 @@ interface(`sasl_admin',`
role_transition $2 saslauthd_initrc_exec_t system_r;
allow $2 system_r;
- files_list_tmp($1)
- admin_pattern($1, saslauthd_tmp_t)
-
files_list_pids($1)
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index cfc60dd..791c5b3 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
type saslauthd_initrc_exec_t;
init_script_file(saslauthd_initrc_exec_t)
-type saslauthd_tmp_t;
-files_tmp_file(saslauthd_tmp_t)
-
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
-allow saslauthd_t saslauthd_tmp_t:dir setattr;
-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+kerberos_tmp_filetrans_host_rcache(saslauthd_t)
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
+kernel_rw_afs_state(saslauthd_t)
+
+#577519
+corecmd_exec_bin(saslauthd_t)
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
+ kerberos_manage_host_rcache(saslauthd_t)
')
optional_policy(`
diff --git a/policy/modules/services/sblim.fc b/policy/modules/services/sblim.fc
new file mode 100644
index 0000000..d5c3c3f
--- /dev/null
+++ b/policy/modules/services/sblim.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+
+/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+
+/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
new file mode 100644
index 0000000..b077a62
--- /dev/null
+++ b/policy/modules/services/sblim.if
@@ -0,0 +1,78 @@
+
+## <summary> policy for SBLIM Gatherer </summary>
+
+########################################
+## <summary>
+## Transition to gatherd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sblim_gatherd_domtrans',`
+ gen_require(`
+ type sblim_gatherd_t, sblim_gatherd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
+')
+
+
+########################################
+## <summary>
+## Read gatherd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_read_pid_files',`
+ gen_require(`
+ type sblim_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 sblim_var_run_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gatherd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sblim_admin',`
+ gen_require(`
+ type sblim_gatherd_t;
+ type sblim_reposd_t;
+ type sblim_var_run_t;
+ ')
+
+ allow $1 sblim_gatherd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sblim_gatherd_t)
+
+ allow $1 sblim_reposd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sblim_reposd_t)
+
+ files_search_pids($1)
+ admin_pattern($1, sblim_var_run_t)
+
+')
+
diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
new file mode 100644
index 0000000..067c552
--- /dev/null
+++ b/policy/modules/services/sblim.te
@@ -0,0 +1,108 @@
+policy_module(sblim, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute sblim_domain;
+
+type sblim_gatherd_t, sblim_domain;
+type sblim_gatherd_exec_t;
+init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
+
+type sblim_reposd_t, sblim_domain;
+type sblim_reposd_exec_t;
+init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+
+type sblim_var_run_t;
+files_pid_file(sblim_var_run_t)
+
+########################################
+#
+# sblim_gatherd local policy
+#
+
+#needed by ps
+allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
+allow sblim_gatherd_t self:process signal;
+
+allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
+allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_fs_sysctls(sblim_gatherd_t)
+kernel_read_kernel_sysctls(sblim_gatherd_t)
+
+corecmd_exec_bin(sblim_gatherd_t)
+corecmd_exec_shell(sblim_gatherd_t)
+
+corenet_tcp_connect_repository_port(sblim_gatherd_t)
+
+dev_read_rand(sblim_gatherd_t)
+dev_read_urand(sblim_gatherd_t)
+
+domain_read_all_domains_state(sblim_gatherd_t)
+
+fs_getattr_all_fs(sblim_gatherd_t)
+
+term_getattr_pty_fs(sblim_gatherd_t)
+
+init_read_utmp(sblim_gatherd_t)
+
+userdom_signull_unpriv_users(sblim_gatherd_t)
+
+optional_policy(`
+ locallogin_signull(sblim_gatherd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(sblim_gatherd_t)
+')
+
+optional_policy(`
+ ssh_signull(sblim_gatherd_t)
+ sysnet_dns_name_resolve(sblim_gatherd_t)
+')
+
+optional_policy(`
+ virt_stream_connect(sblim_gatherd_t)
+ virt_getattr_exec(sblim_gatherd_t)
+')
+
+optional_policy(`
+ xen_stream_connect(sblim_gatherd_t)
+ xen_stream_connect_xenstore(sblim_gatherd_t)
+')
+
+#######################################
+#
+# sblim_reposd local policy
+#
+
+domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
+
+corenet_tcp_bind_all_nodes(sblim_reposd_t)
+corenet_tcp_bind_repository_port(sblim_reposd_t)
+
+######################################
+#
+# sblim_domain local policy
+#
+
+allow sblim_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+
+kernel_read_network_state(sblim_domain)
+kernel_read_system_state(sblim_domain)
+
+dev_read_sysfs(sblim_domain)
+
+logging_send_syslog_msg(sblim_domain)
+
+files_read_etc_files(sblim_domain)
+
+miscfiles_read_localization(sblim_domain)
+
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50..ef4199b 100644
--- a/policy/modules/services/sendmail.fc
+++ b/policy/modules/services/sendmail.fc
@@ -1,4 +1,6 @@
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+
/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 7e94c7c..5700fb8 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
')
mta_sendmail_domtrans($1, sendmail_t)
+')
- allow sendmail_t $1:fd use;
- allow sendmail_t $1:fifo_file rw_file_perms;
- allow sendmail_t $1:process sigchld;
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_initrc_domtrans',`
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
########################################
@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
type sendmail_t;
')
- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
type sendmail_t;
')
- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -295,3 +309,50 @@ interface(`sendmail_run_unconfined',`
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sendmail environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_admin',`
+ gen_require(`
+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ type mail_spool_t;
+ ')
+
+ allow $1 sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sendmail_t)
+
+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, unconfined_sendmail_t)
+
+ sendmail_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sendmail_initrc_exec_t system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, sendmail_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, sendmail_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, sendmail_var_run_t)
+
+ files_list_spool($1)
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 22dac1f..1c27bd6 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
-type unconfined_sendmail_t;
-application_domain(unconfined_sendmail_t, sendmail_exec_t)
-role system_r types unconfined_sendmail_t;
+type sendmail_initrc_exec_t;
+init_script_file(sendmail_initrc_exec_t)
########################################
#
@@ -84,12 +83,14 @@ files_read_usr_files(sendmail_t)
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
init_use_fds(sendmail_t)
init_use_script_ptys(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
auth_use_nsswitch(sendmail_t)
@@ -103,7 +104,7 @@ miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_user_home_dirs(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
@@ -129,6 +130,9 @@ optional_policy(`
optional_policy(`
exim_domtrans(sendmail_t)
+ exim_manage_spool_files(sendmail_t)
+ exim_manage_spool_dirs(sendmail_t)
+ exim_read_log(sendmail_t)
')
optional_policy(`
@@ -149,7 +153,9 @@ optional_policy(`
')
optional_policy(`
+ postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
+ postfix_domtrans_postqueue(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
@@ -168,20 +174,13 @@ optional_policy(`
')
optional_policy(`
- udev_read_db(sendmail_t)
+ spamd_stream_connect(sendmail_t)
')
optional_policy(`
- uucp_domtrans_uux(sendmail_t)
+ udev_read_db(sendmail_t)
')
-########################################
-#
-# Unconfined sendmail local policy
-# Allow unconfined domain to run newalias and have transitions work
-#
-
optional_policy(`
- mta_etc_filetrans_aliases(unconfined_sendmail_t)
- unconfined_domain(unconfined_sendmail_t)
+ uucp_domtrans_uux(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index bcdd16c..7c379a8 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
## <summary>
+## Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ ')
+
+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an setroubleshoot environment
## </summary>
@@ -117,15 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
- type setroubleshootd_t, setroubleshoot_log_t;
- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
+ type setroubleshoot_var_lib_t;
')
allow $1 setroubleshootd_t:process { ptrace signal_perms };
ps_process_pattern($1, setroubleshootd_t)
logging_list_logs($1)
- admin_pattern($1, setroubleshoot_log_t)
+ admin_pattern($1, setroubleshoot_var_log_t)
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 086cd5f..79347e7 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49,17 +51,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
+kernel_read_unlabeled_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
+corecmd_read_all_executables(setroubleshootd_t)
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
@@ -85,6 +91,7 @@ files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
files_getattr_all_sockets(setroubleshootd_t)
files_read_all_symlinks(setroubleshootd_t)
+files_read_mnt_files(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
+libs_exec_ld_so(setroubleshootd_t)
+
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
-modutils_read_module_config(setroubleshootd_t)
-
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
+ mock_getattr_lib(setroubleshootd_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(setroubleshootd_t)
+')
+
+optional_policy(`
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
optional_policy(`
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index e5e72fd..92eecec 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
files_pid_file(slrnpull_var_run_t)
type slrnpull_spool_t;
-files_type(slrnpull_spool_t)
+files_spool_file(slrnpull_spool_t)
type slrnpull_log_t;
logging_log_file(slrnpull_log_t)
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index adea9f9..d5b2d93 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
type fsdaemon_tmp_t;
')
+ files_search_tmp($1)
allow $1 fsdaemon_tmp_t:file read_file_perms;
')
@@ -41,7 +42,7 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+ allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 606a098..5e4d100 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -73,19 +73,28 @@ files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
mls_file_read_all_levels(fsdaemon_t)
#mls_rangetrans_target(fsdaemon_t)
+storage_create_fixed_disk_dev(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)
+application_signull(fsdaemon_t)
+
+init_read_utmp(fsdaemon_t)
+
libs_exec_ld_so(fsdaemon_t)
libs_exec_lib_files(fsdaemon_t)
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 740994a..a92ba26 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
# smokeping local policy
#
-dontaudit smokeping_t self:capability { dac_read_search dac_override };
+dontaudit smokeping_t self:capability { dac_read_search dac_override };
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:udp_socket create_socket_perms;
allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
index 623c8fa..0a802f7 100644
--- a/policy/modules/services/snmp.fc
+++ b/policy/modules/services/snmp.fc
@@ -18,7 +18,8 @@
/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
-/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 275f9fb..4f4a192 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
## </param>
#
interface(`snmp_stream_connect',`
- gen_require(`
+ gen_require(`
type snmpd_t, snmpd_var_lib_t;
- ')
+ ')
- files_search_var_lib($1)
- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')
########################################
@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
type snmpd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',`
########################################
## <summary>
+## Manage snmpd libraries directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_manage_var_lib_dirs',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
+')
+
+########################################
+## <summary>
+## Manage snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_manage_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
## dontaudit Read snmpd libraries.
## </summary>
## <param name="domain">
@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
+
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -123,12 +164,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
#
interface(`snmp_admin',`
gen_require(`
- type snmpd_t, snmpd_log_t;
+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
type snmpd_var_lib_t, snmpd_var_run_t;
- type snmpd_initrc_exec_t;
')
- allow $1 snmpd_t:process { ptrace signal_perms getattr };
+ allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 3d8d1b3..9509742 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
#
# Declarations
#
+
type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
@@ -24,12 +25,13 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
@@ -41,10 +43,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
-files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file })
+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
-files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
+files_search_all_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
+storage_dontaudit_write_removable_device(snmpd_t)
auth_use_nsswitch(snmpd_t)
-auth_read_all_dirs_except_shadow(snmpd_t)
+files_list_all(snmpd_t)
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
+# need write to /var/run/systemd/notify
+init_write_pid_socket(snmpd_t)
logging_send_syslog_msg(snmpd_t)
@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index c117e8b..88ebedb 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run snort.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`snort_domtrans',`
@@ -50,11 +50,11 @@ interface(`snort_admin',`
allow $2 system_r;
admin_pattern($1, snort_etc_t)
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, snort_log_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, snort_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
')
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 179bc1b..735c400 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
-allow snort_t self:netlink_firewall_socket { bind create getattr };
+allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
index 93fe7bf..4a15633 100644
--- a/policy/modules/services/soundserver.if
+++ b/policy/modules/services/soundserver.if
@@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',`
#
interface(`soundserver_admin',`
gen_require(`
- type soundd_t, soundd_etc_t;
+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
type soundd_tmp_t, soundd_var_run_t;
- type soundd_initrc_exec_t;
')
allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 6b3abf9..a785741 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -1,15 +1,28 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
+
+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index c954f31..c7cadcb 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`spamassassin_role',`
gen_require(`
@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+ allow $2 spamassassin_t:process { ptrace signal_perms };
ps_process_pattern($2, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
+
+ allow $2 spamc_t:process { ptrace signal_perms };
ps_process_pattern($2, spamc_t)
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
')
can_exec($1, spamassassin_exec_t)
-
')
########################################
@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',`
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
+## Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+ gen_require(`
+ type spamc_t;
+ ')
+
+ allow $1 spamc_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Manage spamc home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_manage_home_client',`
+ gen_require(`
+ type spamc_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
+')
+
+########################################
+## <summary>
+## Read spamc home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_read_home_client',`
+ gen_require(`
+ type spamc_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ read_files_pattern($1, spamc_home_t, spamc_home_t)
+ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
')
files_search_var_lib($1)
+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
')
########################################
@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
type spamd_tmp_t;
')
+ files_search_tmp($1)
allow $1 spamd_tmp_t:file read_file_perms;
')
@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
- dontaudit $1 spamd_tmp_t:sock_file getattr;
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to run spamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an spamassassin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the spamassassin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_spamd_admin',`
+ gen_require(`
+ type spamd_t, spamd_tmp_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
+ type spamd_initrc_exec_t;
+ ')
+
+ allow $1 spamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, spamd_t)
+
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 spamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, spamd_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, spamd_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, spamd_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, spamd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index ec1eb1e..f056f5f 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
-## <p>
-## Allow user spamassassin clients to use the network.
-## </p>
+## <p>
+## Allow user spamassassin clients to use the network.
+## </p>
## </desc>
gen_tunable(spamassassin_can_network, false)
## <desc>
-## <p>
-## Allow spamd to read/write user home directories.
-## </p>
+## <p>
+## Allow spamd to read/write user home directories.
+## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
-type spamassassin_t;
-type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
-application_domain(spamassassin_t, spamassassin_exec_t)
-ubac_constrained(spamassassin_t)
-
-type spamassassin_home_t;
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-userdom_user_home_content(spamassassin_home_t)
-
-type spamassassin_tmp_t;
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-files_tmp_file(spamassassin_tmp_t)
-ubac_constrained(spamassassin_tmp_t)
-
-type spamc_t;
-type spamc_exec_t;
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
-application_domain(spamc_t, spamc_exec_t)
-ubac_constrained(spamc_t)
-
-type spamc_tmp_t;
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
+ifdef(`distro_redhat',`
+ # spamassassin client executable
+ type spamc_t;
+ type spamc_exec_t;
+ application_domain(spamc_t, spamc_exec_t)
+ role system_r types spamc_t;
+
+ type spamd_etc_t;
+ files_config_file(spamd_etc_t)
+
+ typealias spamc_exec_t alias spamassassin_exec_t;
+ typealias spamc_t alias spamassassin_t;
+
+ type spamc_home_t;
+ userdom_user_home_content(spamc_home_t)
+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+ type spamc_tmp_t;
+ files_tmp_file(spamc_tmp_t)
+ typealias spamc_tmp_t alias spamassassin_tmp_t;
+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+ application_domain(spamassassin_t, spamassassin_exec_t)
+ ubac_constrained(spamassassin_t)
+
+ type spamassassin_home_t;
+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ userdom_user_home_content(spamassassin_home_t)
+
+ type spamassassin_tmp_t;
+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+ files_tmp_file(spamassassin_tmp_t)
+ ubac_constrained(spamassassin_tmp_t)
+
+ type spamc_t;
+ type spamc_exec_t;
+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+ application_domain(spamc_t, spamc_exec_t)
+ ubac_constrained(spamc_t)
+
+ type spamc_tmp_t;
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
+')
+
+type spamd_update_t;
+type spamd_update_exec_t;
+application_domain(spamd_update_t, spamd_update_exec_t)
+cron_system_entry(spamd_update_t, spamd_update_exec_t)
+role system_r types spamd_update_t;
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
+type spamd_compiled_t;
+files_type(spamd_compiled_t)
+
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
+type spamd_log_t;
+logging_log_file(spamd_log_t)
+
type spamd_spool_t;
-files_type(spamd_spool_t)
+files_spool_file(spamd_spool_t)
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
@@ -108,6 +153,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
# this should probably be removed
corecmd_list_bin(spamassassin_t)
@@ -148,6 +194,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
+ corenet_udp_bind_generic_node(spamassassin_t)
+ corenet_udp_bind_generic_port(spamassassin_t)
+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
sysnet_read_config(spamassassin_t)
')
@@ -184,6 +233,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
')
########################################
@@ -206,15 +257,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
+can_exec(spamc_t, spamc_exec_t)
+
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
+
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
+
+corecmd_exec_bin(spamc_t)
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
@@ -226,6 +294,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
fs_search_auto_mountpoints(spamc_t)
@@ -244,9 +313,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
+files_list_var_lib(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
logging_send_syslog_msg(spamc_t)
+auth_use_nsswitch(spamc_t)
+
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
@@ -254,27 +328,46 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamc_t)
+ fs_manage_nfs_files(spamc_t)
+ fs_manage_nfs_symlinks(spamc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamc_t)
+ fs_manage_cifs_files(spamc_t)
+ fs_manage_cifs_symlinks(spamc_t)
+')
+
+
optional_policy(`
- # Allow connection to spamd socket above
- evolution_stream_connect(spamc_t)
+ abrt_stream_connect(spamc_t)
')
optional_policy(`
- # Needed for pyzor/razor called from spamd
- milter_manage_spamass_state(spamc_t)
+ # Allow connection to spamd socket above
+ evolution_stream_connect(spamc_t)
')
optional_policy(`
- nis_use_ypbind(spamc_t)
+ milter_manage_spamass_state(spamc_t)
')
optional_policy(`
- nscd_socket_use(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
+ postfix_rw_master_pipes(spamc_t)
')
optional_policy(`
+ mta_send_mail(spamc_t)
mta_read_config(spamc_t)
+ mta_read_queue(spamc_t)
sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
')
########################################
@@ -286,7 +379,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(spamd_t, spamd_compiled_t)
+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
+
+can_exec(spamd_t, spamd_exec_t)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
+auth_use_nsswitch(spamd_t)
+
logging_send_syslog_msg(spamd_t)
miscfiles_read_localization(spamd_t)
-sysnet_read_config(spamd_t)
-sysnet_use_ldap(spamd_t)
-sysnet_dns_name_resolve(spamd_t)
-
userdom_use_unpriv_users_fds(spamd_t)
userdom_search_user_home_dirs(spamd_t)
+optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
fs_manage_nfs_files(spamd_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamd_t)
fs_manage_cifs_files(spamd_t)
')
@@ -399,7 +508,9 @@ optional_policy(`
')
optional_policy(`
+ dcc_domtrans_cdcc(spamd_t)
dcc_domtrans_client(spamd_t)
+ dcc_signal_client(spamd_t)
dcc_stream_connect_dccifd(spamd_t)
')
@@ -408,25 +519,17 @@ optional_policy(`
')
optional_policy(`
- corenet_tcp_connect_mysqld_port(spamd_t)
- corenet_sendrecv_mysqld_client_packets(spamd_t)
-
+ mysql_tcp_connect(spamd_t)
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
')
optional_policy(`
- nis_use_ypbind(spamd_t)
-')
-
-optional_policy(`
postfix_read_config(spamd_t)
')
optional_policy(`
- corenet_tcp_connect_postgresql_port(spamd_t)
- corenet_sendrecv_postgresql_client_packets(spamd_t)
-
+ postgresql_tcp_connect(spamd_t)
postgresql_stream_connect(spamd_t)
')
@@ -437,6 +540,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
+ razor_read_lib_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(spamd_t)
+ ')
')
optional_policy(`
@@ -451,3 +558,44 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
+
+########################################
+#
+# spamd_update local policy
+#
+
+allow spamd_update_t self:fifo_file manage_fifo_file_perms;
+allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit spamd_update_t self:capability dac_override;
+
+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
+manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
+corecmd_exec_bin(spamd_update_t)
+corecmd_exec_shell(spamd_update_t)
+
+dev_read_urand(spamd_update_t)
+
+domain_use_interactive_fds(spamd_update_t)
+
+files_read_etc_files(spamd_update_t)
+files_read_usr_files(spamd_update_t)
+
+auth_use_nsswitch(spamd_update_t)
+auth_dontaudit_read_shadow(spamd_update_t)
+
+miscfiles_read_localization(spamd_update_t)
+
+mta_read_config(spamd_update_t)
+
+userdom_use_inherited_user_ptys(spamd_update_t)
+
+optional_policy(`
+ gpg_domtrans(spamd_update_t)
+')
+
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
index 6cc4a90..2015152 100644
--- a/policy/modules/services/squid.fc
+++ b/policy/modules/services/squid.fc
@@ -2,7 +2,6 @@
/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index d2496bd..1d0c078 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
type squid_t;
')
- allow $1 squid_t:unix_stream_socket { getattr read write };
+ allow $1 squid_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
interface(`squid_dontaudit_search_cache',`
gen_require(`
@@ -207,8 +206,7 @@ interface(`squid_use',`
interface(`squid_admin',`
gen_require(`
type squid_t, squid_cache_t, squid_conf_t;
- type squid_log_t, squid_var_run_t;
- type squid_initrc_exec_t;
+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
')
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 4b2230e..950e65a 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
#
## <desc>
-## <p>
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-## </p>
+## <p>
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
## </desc>
gen_tunable(squid_connect_any, false)
## <desc>
-## <p>
-## Allow squid to run as a transparent proxy (TPROXY)
-## </p>
+## <p>
+## Allow squid to run as a transparent proxy (TPROXY)
+## </p>
## </desc>
gen_tunable(squid_use_tproxy, false)
@@ -29,7 +29,7 @@ type squid_cache_t;
files_type(squid_cache_t)
type squid_conf_t;
-files_type(squid_conf_t)
+files_config_file(squid_conf_t)
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
@@ -169,7 +169,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
- corenet_sendrecv_all_packets(squid_t)
+ corenet_sendrecv_all_client_packets(squid_t)
+ corenet_sendrecv_all_server_packets(squid_t)
')
tunable_policy(`squid_use_tproxy',`
@@ -185,6 +186,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
sysnet_dns_name_resolve(httpd_squid_script_t)
@@ -206,3 +208,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
+
+optional_policy(`
+ kerberos_manage_host_rcache(squid_t)
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..2d60774 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,10 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 22adaca..8e3e9de 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
## </param>
#
template(`ssh_basic_client_template',`
-
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+ type ssh_home_t;
')
##############################
@@ -47,10 +47,6 @@ template(`ssh_basic_client_template',`
application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t;
- type $1_ssh_home_t;
- files_type($1_ssh_home_t)
- typealias $1_ssh_home_t alias $1_home_ssh_t;
-
##############################
#
# Client local policy
@@ -93,18 +89,18 @@ template(`ssh_basic_client_template',`
ps_process_pattern($2, $1_ssh_t)
# user can manage the keys and config
- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+ manage_files_pattern($2, ssh_home_t, ssh_home_t)
+ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
# ssh client can manage the keys and config
- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
- allow ssh_server $1_ssh_home_t:dir list_dir_perms;
- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+ allow ssh_server ssh_home_t:dir list_dir_perms;
+ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
kernel_read_kernel_sysctls($1_ssh_t)
kernel_read_system_state($1_ssh_t)
@@ -116,6 +112,8 @@ template(`ssh_basic_client_template',`
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
+ corenet_tcp_bind_generic_node($1_ssh_t)
+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
dev_read_urand($1_ssh_t)
@@ -148,6 +146,29 @@ template(`ssh_basic_client_template',`
')
')
+######################################
+## <summary>
+## The template to define a domain to which sshd dyntransition.
+## </summary>
+## <param name="domain">
+## <summary>
+## The prefix of the dyntransition domain
+## </summary>
+## </param>
+#
+template(`ssh_dyntransition_domain_template',`
+ gen_require(`
+ attribute ssh_dyntransition_domain;
+ ')
+
+ type $1, ssh_dyntransition_domain;
+ domain_type($1)
+ role system_r types $1;
+
+ optional_policy(`
+ ssh_dyntransition_to($1)
+ ')
+')
#######################################
## <summary>
## The template to define a ssh server.
@@ -168,7 +189,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
-template(`ssh_server_template', `
+template(`ssh_server_template',`
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
@@ -181,16 +202,18 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
+ allow $1_t self:tun_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -206,6 +229,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
+ kernel_request_load_module($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
@@ -220,8 +244,11 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
- corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
fs_dontaudit_getattr_all_fs($1_t)
@@ -234,6 +261,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
+ domain_dyntrans_type($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
@@ -243,13 +271,17 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
- userdom_create_all_users_keys($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
- userdom_search_user_home_dirs($1_t)
+ userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
+ tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs($1_t)
+ fs_manage_fusefs_files($1_t)
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
@@ -268,6 +300,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
+
+ optional_policy(`
+ rlogin_read_home_content($1_t)
+ ')
+
+ optional_policy(`
+ shutdown_getattr_exec_files($1_t)
+ ')
')
########################################
@@ -290,11 +330,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
template(`ssh_role_template',`
gen_require(`
attribute ssh_server, ssh_agent_type;
-
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
@@ -327,17 +367,20 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
- allow $3 ssh_t:process signal;
+ allow $3 ssh_t:process { ptrace signal_perms };
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
+ allow $3 ssh_t:key read;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
+ userdom_manage_tmp_role($2, ssh_t)
##############################
#
@@ -359,7 +402,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
- allow $3 $1_ssh_agent_t:process signal;
+ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
@@ -381,7 +424,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
- files_search_home($1_ssh_agent_t)
libs_read_lib_files($1_ssh_agent_t)
@@ -393,14 +435,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
- userdom_use_user_terminals($1_ssh_agent_t)
+ userdom_use_inherited_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
+
+ ssh_run_keygen($3,$2)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -477,8 +518,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
+')
+
+######################################
+## <summary>
+## Read and write ssh server unix dgram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_dgram_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
')
+
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
@@ -494,7 +554,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { write read getattr ioctl };
+ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -586,6 +646,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
+## Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_initrc_domtrans',`
+ gen_require(`
+ type sshd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
@@ -618,7 +696,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
- allow $1 sshd_key_t:file setattr;
+ allow $1 sshd_key_t:file setattr_file_perms;
files_search_pids($1)
')
@@ -680,6 +758,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
+#######################################
+## <summary>
+## Execute ssh-keygen in the iptables domain, and
+## allow the specified role the ssh-keygen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ssh_run_keygen',`
+ gen_require(`
+ type ssh_keygen_t;
+ ')
+
+ role $2 types ssh_keygen_t;
+ ssh_domtrans_keygen($1)
+')
+
########################################
## <summary>
## Read ssh server keys
@@ -695,7 +799,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
- dontaudit $1 sshd_key_t:file { getattr read };
+ dontaudit $1 sshd_key_t:file read_file_perms;
')
######################################
@@ -735,3 +839,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
+
+########################################
+## <summary>
+## Send a null signal to sshd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_signull',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process signull;
+')
+
+#####################################
+## <summary>
+## Allow domain dyntransition to chroot_user_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_dyntransition_to',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow sshd_t $1:process dyntransition;
+ allow $1 sshd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Create .ssh directory in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_filetrans_admin_home_content',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
+
+########################################
+## <summary>
+## Create .ssh directory in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_filetrans_home_content',`
+
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..d81a09f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
#
## <desc>
-## <p>
-## allow host key based authentication
-## </p>
+## <p>
+## allow host key based authentication
+## </p>
## </desc>
gen_tunable(allow_ssh_keysign, false)
## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login, false)
+
+## <desc>
+## <p>
+## allow sshd to forward port connections
+## </p>
+## </desc>
+gen_tunable(sshd_forward_ports, false)
+
+## <desc>
## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
+## Allow ssh with chroot env to read and write files
+## in the user home directories
## </p>
## </desc>
-gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_chroot_rw_homedirs, false)
+attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;
+ssh_dyntransition_domain_template(chroot_user_t)
+ssh_dyntransition_domain_template(sshd_sandbox_t)
+
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
-role system_r types ssh_keygen_t;
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
@@ -33,17 +51,12 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
+
type sshd_key_t;
files_type(sshd_key_t)
-type sshd_tmp_t;
-files_tmp_file(sshd_tmp_t)
-files_poly_parent(sshd_tmp_t)
-
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-')
-
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -76,8 +89,12 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
+files_poly_parent(ssh_home_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
##############################
#
@@ -88,6 +105,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key read;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
@@ -95,15 +113,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
+can_exec(ssh_t, ssh_exec_t)
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
-# Access the ssh temporary files.
-allow ssh_t sshd_tmp_t:dir manage_dir_perms;
-allow ssh_t sshd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
-
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -113,20 +127,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
+userdom_search_admin_dir(sshd_t)
+userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
allow ssh_t sshd_t:unix_stream_socket connectto;
+allow ssh_t sshd_t:peer recv;
# ssh client can manage the keys and config
manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
-allow ssh_server ssh_home_t:dir list_dir_perms;
-read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -138,7 +158,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
+corenet_rw_tun_tap_dev(ssh_t)
+dev_read_rand(ssh_t)
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
@@ -162,21 +186,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
+miscfiles_read_generic_certs(ssh_t)
seutil_read_config(ssh_t)
userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
+userdom_search_admin_dir(ssh_t)
# Write to the user domain tty.
-userdom_use_user_terminals(ssh_t)
-# needs to read krb tgt
+userdom_use_inherited_user_terminals(ssh_t)
+# needs to read krb/write tgt
userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
+userdom_read_home_certs(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
- allow ssh_keysign_t ssh_t:fd use;
- allow ssh_keysign_t ssh_t:process sigchld;
- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(ssh_t)
+ fs_manage_fusefs_files(ssh_t)
')
tunable_policy(`use_nfs_home_dirs',`
@@ -196,10 +227,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
+ gnome_stream_connect_all_gkeyringd(ssh_t)
+')
+
+optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
')
+
##############################
#
# ssh_keysign_t local policy
@@ -209,19 +245,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow ssh_keysign_t sshd_key_t:file { getattr read };
+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
+ dev_read_rand(ssh_keysign_t)
dev_read_urand(ssh_keysign_t)
files_read_etc_files(ssh_keysign_t)
')
-optional_policy(`
- tunable_policy(`allow_ssh_keysign',`
- nscd_socket_use(ssh_keysign_t)
- ')
-')
-
#################################
#
# sshd local policy
@@ -232,33 +263,44 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
-
-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+allow sshd_t self:process setcurrent;
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
term_relabelto_all_ptys(sshd_t)
+term_use_ptmx(sshd_t)
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
+
+tunable_policy(`sshd_forward_ports',`
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
+ corenet_tcp_connect_all_ports(sshd_t)
+')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
- userdom_spec_domtrans_all_users(sshd_t)
userdom_signal_all_users(sshd_t)
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
+ userdom_spec_domtrans_all_users(sshd_t)
+')
+
+optional_policy(`
+ amanda_search_var_lib(sshd_t)
')
optional_policy(`
@@ -266,11 +308,24 @@ optional_policy(`
')
optional_policy(`
+ kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
+ ftp_dyntrans_sftpd(sshd_t)
+ ftp_dyntrans_anon_sftpd(sshd_t)
+')
+
+optional_policy(`
+ gitosis_manage_lib_files(sshd_t)
+')
+
+optional_policy(`
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
- kerberos_keytab_template(sshd, sshd_t)
+ nx_read_home_files(sshd_t)
')
optional_policy(`
@@ -284,6 +339,15 @@ optional_policy(`
')
optional_policy(`
+ systemd_exec_systemctl(sshd_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
@@ -292,26 +356,26 @@ optional_policy(`
')
ifdef(`TODO',`
-tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t ptyfile:chr_file relabelto;
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
- ')
-',`
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t ptyfile:chr_file relabelto;
+
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, userdomain)
+ ')
+ ',`
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ ')
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
-')
') dnl endif TODO
########################################
@@ -322,19 +386,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
+allow ssh_keygen_t self:capability dac_override;
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
+kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
dev_read_sysfs(ssh_keygen_t)
+dev_read_rand(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -351,15 +422,83 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
+ seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
+ udev_read_db(ssh_keygen_t)
')
+####################################
+#
+# ssh_dyntransition domain local policy
+#
+
+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
+
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
+
optional_policy(`
- udev_read_db(ssh_keygen_t)
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
+
+#####################################
+#
+# ssh_sandbox local policy
+#
+
+allow sshd_t sshd_sandbox_t:process signal;
+
+init_ioctl_stream_sockets(sshd_sandbox_t)
+
+logging_send_audit_msgs(sshd_sandbox_t)
+
+######################################
+#
+# chroot_user_t local policy
+#
+
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
+userdom_exec_user_home_content_files(chroot_user_t)
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+ files_list_home(chroot_user_t)
+ userdom_read_user_home_content_files(chroot_user_t)
+ userdom_manage_user_home_content(chroot_user_t)
+', `
+
+ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(chroot_user_t)
+ fs_manage_nfs_files(chroot_user_t)
+ fs_manage_nfs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(chroot_user_t)
+ fs_manage_cifs_files(chroot_user_t)
+ fs_manage_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(chroot_user_t)
+ fs_read_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(chroot_user_t)
+ fs_read_nfs_symlinks(chroot_user_t)
+')
+
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..6dbfc01 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run sssd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`sssd_domtrans',`
@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
+ files_search_pids($1)
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
')
########################################
@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
## <rolecap/>
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t, sssd_public_t;
- type sssd_initrc_exec_t;
+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
')
- allow $1 sssd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, sssd_t, sssd_t)
+ allow $1 sssd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sssd_t)
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 8ffa257..7d5a298 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
+allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
+corenet_udp_bind_generic_port(sssd_t)
+corenet_dontaudit_udp_bind_all_ports(sssd_t)
+
corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
+dev_read_sysfs(sssd_t)
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
+files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
-auth_use_nsswitch(sssd_t)
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
+miscfiles_read_generic_certs(sssd_t)
+
+sysnet_dns_name_resolve(sssd_t)
+sysnet_use_ldap(sssd_t)
+
+userdom_manage_tmp_role(system_r, sssd_t)
optional_policy(`
dbus_system_bus_client(sssd_t)
@@ -87,4 +101,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
+ kerberos_read_home_content(sssd_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(sssd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(sssd_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_read_fusefs_files(sssd_t)
+')
+
+
+
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index 6073656..eaf49b2 100644
--- a/policy/modules/services/stunnel.if
+++ b/policy/modules/services/stunnel.if
@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
type stunnel_t;
')
- domtrans_pattern(stunnel_t,$2,$1)
+ domtrans_pattern(stunnel_t, $2, $1)
allow $1 stunnel_t:tcp_socket rw_socket_perms;
')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index f646c66..5370bb8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -6,17 +6,9 @@ policy_module(stunnel, 1.10.0)
#
type stunnel_t;
-domain_type(stunnel_t)
-role system_r types stunnel_t;
-
type stunnel_exec_t;
-domain_entry_file(stunnel_t, stunnel_exec_t)
-
-ifdef(`distro_gentoo',`
- init_daemon_domain(stunnel_t, stunnel_exec_t)
-',`
- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
-')
+init_daemon_domain(stunnel_t, stunnel_exec_t)
+inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
type stunnel_etc_t;
files_config_file(stunnel_etc_t)
@@ -40,7 +32,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
@@ -77,7 +69,7 @@ miscfiles_read_localization(stunnel_t)
sysnet_read_config(stunnel_t)
-ifdef(`distro_gentoo', `
+ifdef(`distro_gentoo',`
dontaudit stunnel_t self:capability sys_tty_config;
allow stunnel_t self:udp_socket create_socket_perms;
@@ -120,4 +112,5 @@ ifdef(`distro_gentoo', `
gen_require(`
type stunnel_port_t;
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
index 08d999c..bca4388 100644
--- a/policy/modules/services/sysstat.fc
+++ b/policy/modules/services/sysstat.fc
@@ -1,7 +1,7 @@
-/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
-/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
-/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 52f0d6c..1473d95 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
type sysstat_t;
type sysstat_exec_t;
init_system_domain(sysstat_t, sysstat_exec_t)
-role system_r types sysstat_t;
type sysstat_log_t;
logging_log_file(sysstat_log_t)
@@ -18,8 +17,7 @@ logging_log_file(sysstat_log_t)
# Local policy
#
-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
-dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
@@ -36,6 +34,7 @@ kernel_read_kernel_sysctls(sysstat_t)
kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
+corecmd_exec_shell(sysstat_t)
corecmd_exec_bin(sysstat_t)
dev_read_urand(sysstat_t)
@@ -51,12 +50,16 @@ fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
term_use_console(sysstat_t)
-term_use_all_terms(sysstat_t)
+term_use_all_inherited_terms(sysstat_t)
init_use_fds(sysstat_t)
locallogin_use_fds(sysstat_t)
+auth_use_nsswitch(sysstat_t)
+
+logging_send_syslog_msg(sysstat_t)
+
miscfiles_read_localization(sysstat_t)
userdom_dontaudit_list_user_home_dirs(sysstat_t)
@@ -64,7 +67,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
-
-optional_policy(`
- logging_send_syslog_msg(sysstat_t)
-')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index 7038b55..4e84f23 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -7,7 +7,6 @@ policy_module(tcpd, 1.4.0)
type tcpd_t;
type tcpd_exec_t;
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
-role system_r types tcpd_t;
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)
diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
index 595f5a7..459d773 100644
--- a/policy/modules/services/tcsd.if
+++ b/policy/modules/services/tcsd.if
@@ -147,4 +147,5 @@ interface(`tcsd_admin',`
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
+
')
diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
index ee9f3c6..30d2c75 100644
--- a/policy/modules/services/tcsd.te
+++ b/policy/modules/services/tcsd.te
@@ -29,13 +29,11 @@ manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
-# Accept connections on the TCS port over loopback.
corenet_all_recvfrom_unlabeled(tcsd_t)
corenet_tcp_bind_generic_node(tcsd_t)
corenet_tcp_bind_tcs_port(tcsd_t)
dev_read_urand(tcsd_t)
-# Access /dev/tpm0.
dev_rw_tpm(tcsd_t)
files_read_etc_files(tcsd_t)
diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
index 58e7ec0..e4119f7 100644
--- a/policy/modules/services/telnet.if
+++ b/policy/modules/services/telnet.if
@@ -1 +1,19 @@
## <summary>Telnet daemon</summary>
+
+########################################
+## <summary>
+## Read and write a telnetd domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telnet_use_ptys',`
+ gen_require(`
+ type telnetd_devpts_t;
+ ')
+
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index f40e67b..8d1e658 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
type telnetd_t;
type telnetd_exec_t;
inetd_service_domain(telnetd_t, telnetd_exec_t)
-role system_r types telnetd_t;
type telnetd_devpts_t; #, userpty_type;
term_login_pty(telnetd_devpts_t)
@@ -24,21 +23,19 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow telnetd_t self:capability { setuid setgid };
-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
@@ -70,8 +67,6 @@ corecmd_search_bin(telnetd_t)
files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
-# for identd; cjp: this should probably only be inetd_child rules?
-files_search_home(telnetd_t)
init_rw_utmp(telnetd_t)
@@ -81,15 +76,10 @@ miscfiles_read_localization(telnetd_t)
seutil_read_config(telnetd_t)
-remotelogin_domtrans(telnetd_t)
-
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
-
-optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
- kerberos_manage_host_rcache(telnetd_t)
-')
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
@@ -98,3 +88,12 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
+optional_policy(`
+ remotelogin_domtrans(telnetd_t)
+')
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 38bb312..414e03f 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -13,9 +13,33 @@
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
+ type tftpdir_rw_t;
')
read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+## Search tftp /var/lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_search_rw_content',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ files_search_var_lib($1)
')
########################################
@@ -40,6 +64,36 @@ interface(`tftp_manage_rw_content',`
########################################
## <summary>
+## Create objects in tftpdir directories
+## with specified types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+#
+interface(`tftp_filetrans_tftpdir',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an tftp environment
## </summary>
@@ -55,9 +109,10 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
- allow $1 tftpd_t:process { ptrace signal_perms getattr };
+ allow $1 tftpd_t:process { ptrace signal_perms };
ps_process_pattern($1, tftpd_t)
+ files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index d50c10d..97ce79e 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
#
## <desc>
-## <p>
-## Allow tftp to modify public files
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(tftp_anon_write, false)
@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
#
allow tftpd_t self:capability { setgid setuid sys_chroot };
+dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
@@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',`
')
optional_policy(`
+ cobbler_read_lib_files(tftpd_t)
+')
+
+optional_policy(`
inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
')
diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc
index 8294f6f..4847b43 100644
--- a/policy/modules/services/tgtd.fc
+++ b/policy/modules/services/tgtd.fc
@@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index 665bf7c..d100080 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
type tgtd_var_lib_t;
files_type(tgtd_var_lib_t)
+type tgtd_var_run_t;
+files_pid_file(tgtd_var_run_t)
+
########################################
#
# TGTD personal policy.
@@ -29,7 +32,7 @@ files_type(tgtd_var_lib_t)
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
+dev_search_sysfs(tgtd_t)
+
files_read_etc_files(tgtd_t)
+fs_read_anon_inodefs_files(tgtd_t)
+
storage_manage_fixed_disk(tgtd_t)
logging_send_syslog_msg(tgtd_t)
miscfiles_read_localization(tgtd_t)
+
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 904f13e..464347f 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -42,7 +42,7 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
- allow $1 tor_t:process { ptrace signal_perms getattr };
+ allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index c842cad..fe5deee 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
#
allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -95,6 +96,7 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
+corenet_udp_bind_dns_port(tor_t)
# tor uses crypto and needs random
dev_read_urand(tor_t)
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..752697f 100644
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run tuned.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`tuned_domtrans',`
@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
#
interface(`tuned_admin',`
gen_require(`
- type tuned_t, tuned_var_run_t;
- type tuned_initrc_exec_t;
+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
allow $1 tuned_t:process { ptrace signal_perms };
@@ -124,6 +123,6 @@ interface(`tuned_admin',`
role_transition $2 tuned_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index db9d2a5..1aebd23 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
#
dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -39,7 +40,7 @@ kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
dev_read_urand(tuned_t)
-dev_read_sysfs(tuned_t)
+dev_rw_sysfs(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
@@ -58,6 +59,10 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
+optional_policy(`
+ gnome_dontaudit_search_config(tuned_t)
+')
+
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
index c1feba4..1f6f55b 100644
--- a/policy/modules/services/ucspitcp.if
+++ b/policy/modules/services/ucspitcp.if
@@ -20,7 +20,7 @@
## </summary>
## </param>
#
-interface(`ucspitcp_service_domain', `
+interface(`ucspitcp_service_domain',`
gen_require(`
type ucspitcp_t;
role system_r;
@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
role system_r types $1;
- domain_auto_trans(ucspitcp_t, $2, $1)
- allow $1 ucspitcp_t:fd use;
- allow $1 ucspitcp_t:process sigchld;
- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+ domtrans_pattern(ucspitcp_t, $2, $1)
')
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index a0794bf..37c056b 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -8,12 +8,10 @@ policy_module(ucspitcp, 1.3.0)
type rblsmtpd_t;
type rblsmtpd_exec_t;
init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
-role system_r types rblsmtpd_t;
type ucspitcp_t;
type ucspitcp_exec_t;
init_system_domain(ucspitcp_t, ucspitcp_exec_t)
-role system_r types ucspitcp_t;
########################################
#
@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t)
optional_policy(`
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_sigchld_run(ucspitcp_t)
daemontools_read_svc(ucspitcp_t)
')
+
diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc
index 831b4a3..8590730 100644
--- a/policy/modules/services/ulogd.fc
+++ b/policy/modules/services/ulogd.fc
@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
-/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index 3b953f5..70f687a 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t)
# config files
type ulogd_etc_t;
-files_type(ulogd_etc_t)
+files_config_file(ulogd_etc_t)
type ulogd_initrc_exec_t;
init_script_file(ulogd_initrc_exec_t)
@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
# ulogd local policy
#
-allow ulogd_t self:capability net_admin;
+allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:process { setsched };
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ulogd_t self:netlink_socket create_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index c2cf97e..1f8f768 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t;
files_config_file(uptimed_etc_t)
type uptimed_spool_t;
-files_type(uptimed_spool_t)
+files_spool_file(uptimed_spool_t)
type uptimed_var_run_t;
files_pid_file(uptimed_var_run_t)
@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file write_file_perms;
+allow uptimed_t self:fifo_file write_fifo_file_perms;
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te
index 4440aa6..34ffbfd 100644
--- a/policy/modules/services/usbmuxd.te
+++ b/policy/modules/services/usbmuxd.te
@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t)
auth_use_nsswitch(usbmuxd_t)
logging_send_syslog_msg(usbmuxd_t)
+
+optional_policy(`
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index d4349e9..f14d337 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -24,7 +24,7 @@ type uucpd_ro_t;
files_type(uucpd_ro_t)
type uucpd_spool_t;
-files_type(uucpd_spool_t)
+files_spool_file(uucpd_spool_t)
type uucpd_log_t;
logging_log_file(uucpd_log_t)
@@ -125,6 +125,8 @@ optional_policy(`
allow uux_t self:capability { setuid setgid };
allow uux_t self:fifo_file write_fifo_file_perms;
+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
+
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
@@ -145,5 +147,5 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(uux_t)
+ postfix_rw_master_pipes(uux_t)
')
diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc
new file mode 100644
index 0000000..c184667
--- /dev/null
+++ b/policy/modules/services/uuidd.fc
@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+
+
+/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
+
+/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
+
+/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0)
diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
new file mode 100644
index 0000000..5a2fd4c
--- /dev/null
+++ b/policy/modules/services/uuidd.if
@@ -0,0 +1,193 @@
+## <summary>policy for uuidd</summary>
+
+########################################
+## <summary>
+## Transition to uuidd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uuidd_domtrans',`
+ gen_require(`
+ type uuidd_t, uuidd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uuidd_exec_t, uuidd_t)
+')
+
+########################################
+## <summary>
+## Execute uuidd server in the uuidd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_initrc_domtrans',`
+ gen_require(`
+ type uuidd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, uuidd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search uuidd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_search_lib',`
+ gen_require(`
+ type uuidd_var_lib_t;
+ ')
+
+ allow $1 uuidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read uuidd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_read_lib_files',`
+ gen_require(`
+ type uuidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage uuidd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_manage_lib_files',`
+ gen_require(`
+ type uuidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage uuidd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_manage_lib_dirs',`
+ gen_require(`
+ type uuidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read uuidd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_read_pid_files',`
+ gen_require(`
+ type uuidd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 uuidd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to uuidd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uuidd_stream_connect_manager',`
+ gen_require(`
+ type uuidd_t, uuidd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an uuidd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uuidd_admin',`
+ gen_require(`
+ type uuidd_t;
+ type uuidd_initrc_exec_t;
+ type uuidd_var_lib_t;
+ type uuidd_var_run_t;
+ ')
+
+ allow $1 uuidd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uuidd_t)
+
+ uuidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 uuidd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, uuidd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, uuidd_var_run_t)
+')
diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te
new file mode 100644
index 0000000..ac053f3
--- /dev/null
+++ b/policy/modules/services/uuidd.te
@@ -0,0 +1,46 @@
+policy_module(uuidd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type uuidd_t;
+type uuidd_exec_t;
+init_daemon_domain(uuidd_t, uuidd_exec_t)
+
+type uuidd_initrc_exec_t;
+init_script_file(uuidd_initrc_exec_t)
+
+type uuidd_var_lib_t;
+files_type(uuidd_var_lib_t)
+
+type uuidd_var_run_t;
+files_pid_file(uuidd_var_run_t)
+
+########################################
+#
+# uuidd local policy
+#
+allow uuidd_t self:capability { setuid };
+allow uuidd_t self:process { signal };
+
+allow uuidd_t self:fifo_file rw_fifo_file_perms;
+allow uuidd_t self:unix_stream_socket create_stream_socket_perms;
+allow uuidd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
+manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
+
+manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
+manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
+manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
+
+dev_read_urand(uuidd_t)
+
+domain_use_interactive_fds(uuidd_t)
+
+files_read_etc_files(uuidd_t)
+
+miscfiles_read_localization(uuidd_t)
+
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index f9310f3..064171e 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.2.0)
#
## <desc>
-## <p>
-## Allow varnishd to connect to all ports,
-## not just HTTP.
-## </p>
+## <p>
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+## </p>
## </desc>
gen_tunable(varnishd_connect_any, false)
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
init_script_file(varnishd_initrc_exec_t)
type varnishd_etc_t;
-files_type(varnishd_etc_t)
+files_config_file(varnishd_etc_t)
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
index 0000000..71d9784
--- /dev/null
+++ b/policy/modules/services/vdagent.fc
@@ -0,0 +1,11 @@
+
+/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
+/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
+
+/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
+/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
+
+
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
index 0000000..7647279
--- /dev/null
+++ b/policy/modules/services/vdagent.if
@@ -0,0 +1,128 @@
+
+## <summary>policy for vdagent</summary>
+
+#####################################
+## <summary>
+## Getattr on vdagent executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vdagent_getattr_exec',`
+ gen_require(`
+ type vdagent_exec_t;
+ ')
+
+ allow $1 vdagent_exec_t:file getattr;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run vdagent.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vdagent_domtrans',`
+ gen_require(`
+ type vdagent_t, vdagent_exec_t;
+ ')
+
+ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
+')
+
+#######################################
+## <summary>
+## Get the attributes of vdagent logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vdagent_getattr_log',`
+ gen_require(`
+ type vdagent_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 vdagent_log_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Read vdagent PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vdagent_read_pid_files',`
+ gen_require(`
+ type vdagent_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 vdagent_var_run_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+## Connect to vdagent over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vdagent_stream_connect',`
+ gen_require(`
+ type vdagent_var_run_t, vdagent_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an vdagent environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vdagent_admin',`
+ gen_require(`
+ type vdagent_t;
+ type vdagent_var_run_t;
+ ')
+
+ allow $1 vdagent_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vdagent_t)
+
+ files_search_pids($1)
+ admin_pattern($1, vdagent_var_run_t)
+
+')
+
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
index 0000000..4fd2377
--- /dev/null
+++ b/policy/modules/services/vdagent.te
@@ -0,0 +1,54 @@
+policy_module(vdagent,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vdagent_t;
+type vdagent_exec_t;
+init_daemon_domain(vdagent_t, vdagent_exec_t)
+
+type vdagent_var_run_t;
+files_pid_file(vdagent_var_run_t)
+
+type vdagent_log_t;
+logging_log_file(vdagent_log_t)
+
+########################################
+#
+# vdagent local policy
+#
+
+dontaudit vdagent_t self:capability sys_admin;
+
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+
+dev_rw_input_dev(vdagent_t)
+dev_read_sysfs(vdagent_t)
+dev_dontaudit_write_mtrr(vdagent_t)
+
+files_read_etc_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
+
+miscfiles_read_localization(vdagent_t)
+
+optional_policy(`
+ consolekit_dbus_chat(vdagent_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(vdagent_t)
+')
+
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index 1f872b5..da605ba 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run vhostmd.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`vhostmd_domtrans',`
@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
')
allow $1 vhostmd_tmpfs_t:file read_file_perms;
- files_search_tmp($1)
+ fs_search_tmpfs($1)
')
########################################
@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
')
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
- files_search_tmp($1)
+ fs_search_tmpfs($1)
')
########################################
@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
')
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
- files_search_tmp($1)
+ fs_search_tmpfs($1)
')
########################################
@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
type vhostmd_var_run_t;
')
- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ files_search_pids($1)
+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
')
########################################
@@ -209,7 +210,7 @@ interface(`vhostmd_admin',`
type vhostmd_t, vhostmd_initrc_exec_t;
')
- allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+ allow $1 vhostmd_t:process { ptrace signal_perms };
ps_process_pattern($1, vhostmd_t)
vhostmd_initrc_domtrans($1)
@@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
vhostmd_manage_tmpfs_files($1)
vhostmd_manage_pid_files($1)
-
')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index 32a3c13..7baeb6f 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
allow vhostmd_t self:process { setsched getsched };
-allow vhostmd_t self:fifo_file rw_file_perms;
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t)
corenet_tcp_connect_soundd_port(vhostmd_t)
+# 579803
+files_list_tmp(vhostmd_t)
files_read_etc_files(vhostmd_t)
files_read_usr_files(vhostmd_t)
@@ -66,6 +68,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
+ virt_write_content(vhostmd_t)
')
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index 2124b6a..c60a0e7 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
@@ -12,18 +13,34 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+
+/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+# support for AEOLUS project
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d8..d711fd5 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,44 @@
#
template(`virt_domain_template',`
gen_require(`
- type virtd_t;
- attribute virt_image_type;
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
+ attribute virt_ptynode;
')
type $1_t, virt_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
role system_r types $1_t;
- type $1_devpts_t;
+ type $1_devpts_t, virt_ptynode;
term_pty($1_devpts_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
- type $1_tmpfs_t;
+ type $1_tmpfs_t, virt_tmpfs_type;
files_tmpfs_file($1_tmpfs_t)
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
+ dev_associate_sysfs($1_image_t)
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
+ auth_use_nsswitch($1_t)
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+ fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
@@ -57,18 +62,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-
- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { dir file })
- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
-
optional_policy(`
xserver_rw_shm($1_t)
')
@@ -96,14 +89,32 @@ interface(`virt_image',`
dev_node($1)
')
+#######################################
+## <summary>
+## Getattr on virt executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_exec',`
+ gen_require(`
+ type virtd_exec_t;
+ ')
+
+ allow $1 virtd_exec_t:file getattr;
+')
+
########################################
## <summary>
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`virt_domtrans',`
@@ -114,6 +125,25 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
+########################################
+## <summary>
+## Transition to virt_qmf.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans_qmf',`
+ gen_require(`
+ type virt_qmf_t, virt_qmf_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+')
+
#######################################
## <summary>
## Connect to virt over an unix domain stream socket.
@@ -164,13 +194,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
- type virt_etc_t;
- type virt_etc_rw_t;
+ type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
@@ -185,13 +215,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
- type virt_etc_t;
- type virt_etc_rw_t;
+ type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
@@ -231,6 +261,24 @@ interface(`virt_read_content',`
########################################
## <summary>
+## Allow domain to write virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_write_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ allow $1 virt_content_t:file write_file_perms;
+')
+
+########################################
+## <summary>
## Read virt PID files.
## </summary>
## <param name="domain">
@@ -269,6 +317,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
+## Create objects in the pid directory
+## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+#
+interface(`virt_pid_filetrans',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
## Search virt lib directories.
## </summary>
## <param name="domain">
@@ -308,6 +386,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
+## Dontaudit inherited read virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## virt lib files.
## </summary>
@@ -352,9 +448,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`virt_append_log',`
@@ -424,6 +520,24 @@ interface(`virt_read_images',`
########################################
## <summary>
+## Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## svirt cache files.
## </summary>
@@ -433,15 +547,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
-interface(`virt_manage_svirt_cache',`
+interface(`virt_manage_cache',`
gen_require(`
- type svirt_cache_t;
+ type virt_cache_t;
')
files_search_var($1)
- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
- manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
')
########################################
@@ -500,11 +614,16 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
+ attribute virt_domain;
+ type virt_lxc_t;
')
allow $1 virtd_t:process { ptrace signal_perms };
ps_process_pattern($1, virtd_t)
+ allow $1 virt_lxc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, virt_lxc_t)
+
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
@@ -515,4 +634,213 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
+
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process { ptrace signal_perms };
+')
+
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
+ type svirt_t;
+ ')
+
+ allow $1 svirt_t:process transition;
+ role $2 types svirt_t;
+
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
')
+
+########################################
+## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_write_pipes',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send a sigkill to virtual machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_kill_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a signal to virtual machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_signal_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process signal;
+')
+
+########################################
+## <summary>
+## Manage virt home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_home_files',`
+ gen_require(`
+ type virt_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
+
+########################################
+## <summary>
+## allow domain to read
+## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`virt_read_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
+ ')
+
+ allow $1 virt_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to manage
+## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create .virt directory in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to Read virt_image_type devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_chr_dev',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## virt_lxc process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`virt_lxc_domain_template',`
+ gen_require(`
+ attribute svirt_lxc_domain;
+ ')
+
+ type $1_t, svirt_lxc_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
+ role system_r types $1_t;
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..52df08a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
# Declarations
#
+attribute virsh_transition_domain;
+attribute virt_ptynode;
+
## <desc>
-## <p>
-## Allow virt to use serial/parallell communication ports
-## </p>
+## <p>
+## Allow confined virtual guests to use serial/parallel communication ports
+## </p>
## </desc>
gen_tunable(virt_use_comm, false)
## <desc>
-## <p>
-## Allow virt to read fuse files
-## </p>
+## <p>
+## Allow confined virtual guests to read fuse files
+## </p>
## </desc>
gen_tunable(virt_use_fusefs, false)
## <desc>
-## <p>
-## Allow virt to manage nfs files
-## </p>
+## <p>
+## Allow confined virtual guests to manage nfs files
+## </p>
## </desc>
gen_tunable(virt_use_nfs, false)
## <desc>
-## <p>
-## Allow virt to manage cifs files
-## </p>
+## <p>
+## Allow confined virtual guests to manage cifs files
+## </p>
## </desc>
gen_tunable(virt_use_samba, false)
## <desc>
-## <p>
-## Allow virt to manage device configuration, (pci)
-## </p>
+## <p>
+## Allow confined virtual guests to manage device configuration, (pci)
+## </p>
## </desc>
gen_tunable(virt_use_sysfs, false)
## <desc>
-## <p>
-## Allow virt to use usb devices
-## </p>
+## <p>
+## Allow confined virtual guests to interact with the sanlock
+## </p>
+## </desc>
+gen_tunable(virt_use_sanlock, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
+## </p>
## </desc>
gen_tunable(virt_use_usb, true)
virt_domain_template(svirt)
role system_r types svirt_t;
-type svirt_cache_t;
-files_type(svirt_cache_t)
-
attribute virt_domain;
attribute virt_image_type;
+attribute virt_tmpfs_type;
+
+type virt_cache_t alias svirt_cache_t;
+files_type(virt_cache_t)
type virt_etc_t;
files_config_file(virt_etc_t)
@@ -62,23 +80,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
+type virt_home_t;
+userdom_user_home_content(virt_home_t)
+
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
+files_mountpoint(virt_image_t)
# virt Image files
type virt_content_t; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
type virt_log_t;
logging_log_file(virt_log_t)
+mls_trusted_object(virt_log_t)
type virt_var_run_t;
files_pid_file(virt_var_run_t)
type virt_var_lib_t;
-files_type(virt_var_lib_t)
+files_mountpoint(virt_var_lib_t)
type virtd_t;
type virtd_exec_t;
@@ -89,6 +115,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
+type qemu_var_run_t;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -97,6 +128,27 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
+type virt_qmf_t;
+type virt_qmf_exec_t;
+init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
+
+########################################
+#
+# Declarations
+#
+attribute svirt_lxc_domain;
+
+type virtd_lxc_t;
+type virtd_lxc_exec_t;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
+type virtd_lxc_var_run_t;
+files_pid_file(virtd_lxc_var_run_t)
+
+# virt lxc container files
+type svirt_lxc_file_t;
+files_mountpoint(svirt_lxc_file_t)
+
########################################
#
# svirt local policy
@@ -104,15 +156,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
-files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
-
read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
allow svirt_t svirt_image_t:dir search_dir_perms;
manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -130,9 +179,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
+fs_getattr_xattr_fs(svirt_t)
+
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
@@ -147,11 +200,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
+ fs_manage_nfs_named_sockets(svirt_t)
+ fs_read_nfs_symlinks(svirt_t)
')
tunable_policy(`virt_use_samba',`
fs_manage_cifs_dirs(svirt_t)
fs_manage_cifs_files(svirt_t)
+ fs_manage_cifs_named_sockets(svirt_t)
+ fs_read_cifs_symlinks(virtd_t)
')
tunable_policy(`virt_use_sysfs',`
@@ -160,11 +217,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
+ dev_read_sysfs(svirt_t)
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
optional_policy(`
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(svirt_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(svirt_t)
+ ')
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
+optional_policy(`
xen_rw_image_files(svirt_t)
')
@@ -174,21 +248,36 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit virtd_t self:capability sys_module;
+')
-allow virtd_t self:fifo_file rw_fifo_file_perms;
-allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_t self:tcp_socket create_stream_socket_perms;
-allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow virtd_t self:rawip_socket create_socket_perms;
+allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -200,8 +289,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
+allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -217,9 +313,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
+kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
@@ -239,22 +341,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
+dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
+dev_rw_vhost(virtd_t)
# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
+domain_read_all_domains_state(virtd_t)
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
-files_manage_etc_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
+files_etc_filetrans_system_conf(virtd_t)
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
@@ -262,6 +373,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
+fs_manage_hugetlbfs_dirs(virtd_t)
+fs_rw_hugetlbfs_files(virtd_t)
+
+mls_fd_share_all_levels(virtd_t)
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
+mls_process_write_to_clearance(virtd_t)
+mls_net_write_within_range(virtd_t)
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
+mls_rangetrans_source(virtd_t)
mcs_process_set_categories(virtd_t)
@@ -285,16 +408,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
+selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
+userdom_list_admin_dir(virtd_t)
userdom_getattr_all_users(virtd_t)
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -313,6 +449,10 @@ optional_policy(`
')
optional_policy(`
+ consoletype_exec(virtd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(virtd_t)
optional_policy(`
@@ -329,16 +469,23 @@ optional_policy(`
')
optional_policy(`
+ dmidecode_domtrans(virtd_t)
+')
+
+optional_policy(`
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
')
optional_policy(`
iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
@@ -365,6 +512,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
+ qemu_entry_type(virt_domain)
+ qemu_exec(virt_domain)
+')
+
+optional_policy(`
+ sanlock_stream_connect(virtd_t)
')
optional_policy(`
@@ -394,20 +547,36 @@ optional_policy(`
# virtual domains common policy
#
-allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
+
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
kernel_read_system_state(virt_domain)
+fs_getattr_xattr_fs(virt_domain)
+
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
@@ -418,10 +587,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
-corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
+dev_read_generic_symlinks(virt_domain)
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
@@ -429,10 +599,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
domain_use_interactive_fds(virt_domain)
files_read_etc_files(virt_domain)
+files_read_mnt_symlinks(virt_domain)
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
@@ -440,14 +612,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-auth_use_nsswitch(virt_domain)
-
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
@@ -457,8 +635,319 @@ optional_policy(`
')
optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
+
+optional_policy(`
virt_read_config(virt_domain)
virt_read_lib_files(virt_domain)
virt_read_content(virt_domain)
virt_stream_connect(virt_domain)
')
+
+########################################
+#
+# xm local policy
+#
+type virsh_t;
+type virsh_exec_t;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_read_system_state(virsh_t)
+kernel_read_network_state(virsh_t)
+kernel_read_kernel_sysctls(virsh_t)
+kernel_read_sysctl(virsh_t)
+kernel_read_xen_state(virsh_t)
+kernel_write_xen_state(virsh_t)
+
+corecmd_exec_bin(virsh_t)
+corecmd_exec_shell(virsh_t)
+
+corenet_tcp_sendrecv_generic_if(virsh_t)
+corenet_tcp_sendrecv_generic_node(virsh_t)
+corenet_tcp_connect_soundd_port(virsh_t)
+
+dev_read_rand(virsh_t)
+dev_read_urand(virsh_t)
+dev_read_sysfs(virsh_t)
+
+files_read_etc_runtime_files(virsh_t)
+files_read_usr_files(virsh_t)
+files_list_mnt(virsh_t)
+# Some common macros (you might be able to remove some)
+files_read_etc_files(virsh_t)
+
+fs_getattr_all_fs(virsh_t)
+fs_manage_xenfs_dirs(virsh_t)
+fs_manage_xenfs_files(virsh_t)
+fs_search_auto_mountpoints(virsh_t)
+
+storage_raw_read_fixed_disk(virsh_t)
+
+term_use_all_inherited_terms(virsh_t)
+
+init_stream_connect_script(virsh_t)
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
+
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virsh_t)
+
+ optional_policy(`
+ hal_dbus_chat(virsh_t)
+ ')
+')
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
+ vhostmd_stream_connect(virsh_t)
+ vhostmd_dontaudit_rw_stream_connect(virsh_t)
+')
+
+optional_policy(`
+ virt_domtrans(virsh_t)
+ virt_manage_images(virsh_t)
+ virt_manage_config(virsh_t)
+ virt_stream_connect(virsh_t)
+')
+
+optional_policy(`
+ ssh_basic_client_template(virsh, virsh_t, system_r)
+
+ kernel_read_xen_state(virsh_ssh_t)
+ kernel_write_xen_state(virsh_ssh_t)
+
+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp(virsh_ssh_t)
+
+ fs_manage_xenfs_dirs(virsh_ssh_t)
+ fs_manage_xenfs_files(virsh_ssh_t)
+
+ userdom_search_admin_dir(virsh_ssh_t)
+')
+
+########################################
+#
+# virt_lxc local policy
+#
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin };
+allow virtd_lxc_t self:process { setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_lxc_t self:packet_socket create_socket_perms;
+
+allow virtd_lxc_t virt_image_type:dir mounton;
+
+allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
+manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+
+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+
+kernel_read_network_state(virtd_lxc_t)
+kernel_search_network_sysctl(virtd_lxc_t)
+kernel_read_sysctl(virtd_lxc_t)
+kernel_read_system_state(virtd_lxc_t)
+
+corecmd_exec_bin(virtd_lxc_t)
+corecmd_exec_shell(virtd_lxc_t)
+
+dev_read_sysfs(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
+files_read_etc_files(virtd_lxc_t)
+files_read_usr_files(virtd_lxc_t)
+files_mounton_non_security(virtd_lxc_t)
+files_mount_all_file_type_fs(virtd_lxc_t)
+files_unmount_all_file_type_fs(virtd_lxc_t)
+files_list_isid_type_dirs(virtd_lxc_t)
+
+fs_manage_tmpfs_dirs(virtd_lxc_t)
+fs_manage_tmpfs_chr_files(virtd_lxc_t)
+fs_manage_tmpfs_symlinks(virtd_lxc_t)
+fs_manage_cgroup_dirs(virtd_lxc_t)
+fs_rw_cgroup_files(virtd_lxc_t)
+fs_remount_all_fs(virtd_lxc_t)
+fs_unmount_xattr_fs(virtd_lxc_t)
+
+selinux_mount_fs(virtd_lxc_t)
+selinux_unmount_fs(virtd_lxc_t)
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
+
+auth_use_nsswitch(virtd_lxc_t)
+
+logging_send_syslog_msg(virtd_lxc_t)
+
+miscfiles_read_localization(virtd_lxc_t)
+
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
+#optional_policy(`
+# unconfined_shell_domtrans(virtd_lxc_t)
+# unconfined_signal(virtd_t)
+#')
+
+########################################
+#
+# virt_lxc_domain local policy
+#
+allow svirt_lxc_domain self:capability { setuid setgid dac_override };
+dontaudit svirt_lxc_domain self:capability sys_ptrace;
+
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow svirt_lxc_domain virtd_lxc_t:fd use;
+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
+dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
+
+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid execstack execmem };
+allow svirt_lxc_domain self:fifo_file manage_file_perms;
+allow svirt_lxc_domain self:sem create_sem_perms;
+allow svirt_lxc_domain self:shm create_shm_perms;
+allow svirt_lxc_domain self:msgq create_msgq_perms;
+allow svirt_lxc_domain self:unix_stream_socket create_stream_socket_perms;
+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+
+kernel_getattr_proc(svirt_lxc_domain)
+kernel_read_kernel_sysctls(svirt_lxc_domain)
+kernel_read_system_state(svirt_lxc_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+
+corecmd_exec_all_executables(svirt_lxc_domain)
+
+dev_read_urand(svirt_lxc_domain)
+dev_dontaudit_read_rand(svirt_lxc_domain)
+dev_read_sysfs(svirt_lxc_domain)
+
+files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+files_entrypoint_all_files(svirt_lxc_domain)
+files_search_all(svirt_lxc_domain)
+files_read_config_files(svirt_lxc_domain)
+files_read_usr_files(svirt_lxc_domain)
+files_read_usr_symlinks(svirt_lxc_domain)
+
+fs_getattr_tmpfs(svirt_lxc_domain)
+fs_getattr_xattr_fs(svirt_lxc_domain)
+fs_list_inotifyfs(svirt_lxc_domain)
+fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
+
+auth_dontaudit_read_login_records(svirt_lxc_domain)
+auth_dontaudit_write_login_records(svirt_lxc_domain)
+auth_search_pam_console_data(svirt_lxc_domain)
+
+init_read_utmp(svirt_lxc_domain)
+init_dontaudit_write_utmp(svirt_lxc_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+
+miscfiles_read_localization(svirt_lxc_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+
+mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+
+selinux_get_fs_mount(svirt_lxc_domain)
+selinux_validate_context(svirt_lxc_domain)
+selinux_compute_access_vector(svirt_lxc_domain)
+selinux_compute_create_context(svirt_lxc_domain)
+selinux_compute_relabel_context(svirt_lxc_domain)
+selinux_compute_user_contexts(svirt_lxc_domain)
+seutil_read_default_contexts(svirt_lxc_domain)
+
+miscfiles_read_fonts(svirt_lxc_domain)
+
+virt_lxc_domain_template(svirt_lxc_net)
+
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
+allow svirt_lxc_net_t self:packet_socket create_socket_perms;
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+corenet_udp_bind_generic_node(svirt_lxc_net_t)
+
+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service };
+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_bind_all_ports(svirt_lxc_net_t)
+corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_network_state(svirt_lxc_net_t)
+
+domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
+domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
+
+########################################
+#
+# virt_qmf local policy
+#
+allow virt_qmf_t self:process signal;
+allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
+allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_network_state(virt_qmf_t)
+
+dev_list_sysfs(virt_qmf_t)
+dev_read_sysfs(virt_qmf_t)
+
+corenet_tcp_connect_matahari_port(virt_qmf_t)
+
+domain_use_interactive_fds(virt_qmf_t)
+
+files_read_etc_files(virt_qmf_t)
+
+logging_send_syslog_msg(virt_qmf_t)
+
+miscfiles_read_localization(virt_qmf_t)
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
index 11533cc..4d81b99 100644
--- a/policy/modules/services/vnstatd.fc
+++ b/policy/modules/services/vnstatd.fc
@@ -1,3 +1,4 @@
+
/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
index 727fe95..21af852 100644
--- a/policy/modules/services/vnstatd.if
+++ b/policy/modules/services/vnstatd.if
@@ -113,6 +113,7 @@ interface(`vnstatd_manage_lib_files',`
manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
+
########################################
## <summary>
## All of the rules required to administrate
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
index 8121937..5a462fb 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
@@ -28,9 +28,12 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
+
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
@@ -64,7 +67,6 @@ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index 1174ad8..f4c4c1b 100644
--- a/policy/modules/services/w3c.te
+++ b/policy/modules/services/w3c.te
@@ -7,11 +7,18 @@ policy_module(w3c, 1.0.0)
apache_content_template(w3c_validator)
+type httpd_w3c_validator_tmp_t;
+files_tmp_file(httpd_w3c_validator_tmp_t)
+
########################################
#
# Local policy
#
+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
+
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
@@ -22,3 +29,5 @@ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
diff --git a/policy/modules/services/wdmd.fc b/policy/modules/services/wdmd.fc
new file mode 100644
index 0000000..2f21759
--- /dev/null
+++ b/policy/modules/services/wdmd.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
+
+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
+
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if
new file mode 100644
index 0000000..a554011
--- /dev/null
+++ b/policy/modules/services/wdmd.if
@@ -0,0 +1,111 @@
+
+## <summary>policy for wdmd</summary>
+
+
+########################################
+## <summary>
+## Execute a domain transition to run wdmd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_domtrans',`
+ gen_require(`
+ type wdmd_t, wdmd_exec_t;
+ ')
+
+ domtrans_pattern($1, wdmd_exec_t, wdmd_t)
+')
+
+
+########################################
+## <summary>
+## Execute wdmd server in the wdmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`wdmd_initrc_domtrans',`
+ gen_require(`
+ type wdmd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an wdmd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`wdmd_admin',`
+ gen_require(`
+ type wdmd_t;
+ type wdmd_initrc_exec_t;
+ ')
+
+ allow $1 wdmd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, wdmd_t)
+
+ wdmd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 wdmd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete wdmd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_manage_pid_files',`
+ gen_require(`
+ type wdmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to wdmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_stream_connect',`
+ gen_require(`
+ type wdmd_t, wdmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
index 0000000..307c99e
--- /dev/null
+++ b/policy/modules/services/wdmd.te
@@ -0,0 +1,51 @@
+policy_module(wdmd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wdmd_t;
+type wdmd_exec_t;
+init_daemon_domain(wdmd_t, wdmd_exec_t)
+
+type wdmd_var_run_t;
+files_pid_file(wdmd_var_run_t)
+
+type wdmd_initrc_exec_t;
+init_script_file(wdmd_initrc_exec_t)
+
+########################################
+#
+# wdmd local policy
+#
+allow wdmd_t self:capability { sys_nice ipc_lock };
+allow wdmd_t self:process { setsched signal };
+
+allow wdmd_t self:fifo_file rw_fifo_file_perms;
+allow wdmd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
+manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
+manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
+files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file })
+
+dev_write_watchdog(wdmd_t)
+
+domain_use_interactive_fds(wdmd_t)
+
+files_read_etc_files(wdmd_t)
+
+logging_send_syslog_msg(wdmd_t)
+
+miscfiles_read_localization(wdmd_t)
+
+fs_read_anon_inodefs_files(wdmd_t)
+
+gen_require(`
+ type watchdog_device_t;
+')
+
+#dev_read_watchdog(wdmd_t)
+#============= wdmd_t ==============
+allow wdmd_t watchdog_device_t:chr_file read;
diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
index aa6e5a8..42a0efb 100644
--- a/policy/modules/services/xfs.if
+++ b/policy/modules/services/xfs.if
@@ -1,4 +1,4 @@
-## <summary>X Windows Font Server </summary>
+## <summary>X Windows Font Server</summary>
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 4966c94..cb2e1a3 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
# HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
+/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
+/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
#
# /dev
@@ -21,6 +42,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
+
/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -33,11 +56,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
#
# /opt
#
@@ -48,28 +66,30 @@ ifdef(`distro_redhat',`
# /tmp
#
-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.ICE-unix/.* -s <<none>>
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix/.* -s <<none>>
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
#
# /usr
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
')
-/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -90,17 +110,44 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/(l)?xdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
+
+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 130ced9..b6fb17a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
type iceauth_t, iceauth_exec_t, iceauth_home_t;
type xauth_t, xauth_exec_t, xauth_home_t;
+ class dbus send_msg;
')
role $1 types { xserver_t xauth_t iceauth_t };
@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',`
allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
- allow xserver_t $2:process signal;
+ allow xserver_t $2:process { getpgid signal };
allow xserver_t $2:shm rw_shm_perms;
allow $2 user_fonts_t:dir list_dir_perms;
allow $2 user_fonts_t:file read_file_perms;
+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
allow $2 user_fonts_config_t:dir list_dir_perms;
allow $2 user_fonts_config_t:file read_file_perms;
@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
+ dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms;
files_search_tmp($2)
# Communicate via System V shared memory.
@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xdm_tmp_t:dir search;
- allow $2 xdm_tmp_t:sock_file { read write };
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
+ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
+
+ allow $2 xdm_t:dbus send_msg;
+ allow xdm_t $2:dbus send_msg;
# Client read xserver shm
allow $2 xserver_t:fd use;
allow $2 xserver_tmpfs_t:file read_file_perms;
# Read /tmp/.X0-lock
- allow $2 xserver_tmp_t:file { getattr read };
+ allow $2 xserver_tmp_t:file read_inherited_file_perms;
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
- dev_dontaudit_rw_dri($2)
+
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
+ miscfiles_setattr_fonts_cache_dirs($2)
+ miscfiles_read_hwdata($2)
xserver_common_x_domain_template(user, $2)
xserver_domtrans($2)
- xserver_unconfined($2)
+ #xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
+ xserver_xdm_append_log($2)
+
+ modutils_run_insmod(xserver_t, $1)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
+
+ optional_policy(`
+ gnome_read_gconf_config($2)
+ ')
')
########################################
@@ -143,13 +165,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
- allow $2 iceauth_home_t:file { relabelfrom relabelto };
+ allow $2 iceauth_home_t:file relabel_file_perms;
allow $2 xauth_home_t:file manage_file_perms;
- allow $2 xauth_home_t:file { relabelfrom relabelto };
+ allow $2 xauth_home_t:file relabel_file_perms;
+ mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
@@ -162,7 +186,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
- allow $1 xserver_tmp_t:file { getattr read };
+ allow $1 xserver_tmp_t:file read_file_perms;
# Client read xserver shm
allow $1 xserver_t:fd use;
@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
- xserver_ro_session($1,$2)
+ xserver_ro_session($1, $2)
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
- allow $1 xdm_var_run_t:dir search;
+ allow $1 xdm_var_run_t:dir search_dir_perms;
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
- allow $1 xauth_home_t:file { getattr read };
- allow $1 iceauth_home_t:file { getattr read };
+ allow $1 xauth_home_t:file read_file_perms;
+ allow $1 iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
- allow $1 xdm_tmp_t:dir search;
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
- type root_xdrawable_t;
+ type root_xdrawable_t, xdm_t, xserver_t;
type xproperty_t, $1_xproperty_t;
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
- attribute x_domain;
+ attribute x_domain, input_xevent_type;
attribute xdrawable_type, xcolormap_type;
- attribute input_xevent_type;
class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
+ class x_client destroy;
+ class x_server manage;
+ class x_screen { saver_setattr saver_hide saver_show };
+ class x_pointer { get_property set_property manage };
+ class x_keyboard { read manage };
')
##############################
@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
+
+ allow $2 xdm_t:x_drawable { hide read add_child manage };
+ allow $2 xdm_t:x_client destroy;
+
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
+ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
+ allow $2 xserver_t:x_pointer { get_property set_property manage };
+ allow $2 xserver_t:x_keyboard { read manage };
')
#######################################
@@ -444,8 +480,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
+ type xdm_home_t;
+ type xauth_home_t, iceauth_home_t, xserver_t;
')
allow $2 self:shm create_shm_perms;
@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
+
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
- xserver_ro_session($2,$3)
+ xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
+ xserver_xdm_append_log($2)
# X object manager
xserver_object_types_template($1)
- xserver_common_x_domain_template($1,$2)
+ xserver_common_x_domain_template($1, $2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
')
########################################
@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
+ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',`
########################################
## <summary>
+## Dontaudit exec of Xauthority program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_exec_xauth',`
+ gen_require(`
+ type xauth_exec_t;
+ ')
+
+ dontaudit $1 xauth_exec_t:file execute;
+')
+
+########################################
+## <summary>
## Create a Xauthority file in the user home directory.
## </summary>
## <param name="domain">
@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
+ xserver_read_xdm_pid($1)
')
########################################
@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
- allow $1 xconsole_device_t:fifo_file setattr;
+ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
')
########################################
@@ -638,6 +708,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
+## Read XDM state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_state_xdm',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, xdm_t)
+')
+
+########################################
+## <summary>
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
- allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fd use;
')
########################################
@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
- dontaudit $1 xdm_t:fd use;
+ dontaudit $1 xdm_t:fd use;
')
########################################
@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
- allow $1 xdm_t:fifo_file { getattr read write };
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
-
gen_require(`
type xdm_t;
')
- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+')
+
+########################################
+## <summary>
+## Read XDM files in user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdm_home_t:file read_file_perms;
')
########################################
@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
+## Search XDM temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xdm_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
- allow $1 xdm_tmp_t:dir setattr;
+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
')
########################################
@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
- allow $1 xdm_var_run_t:file read_file_perms;
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+')
+
+######################################
+## <summary>
+## Dontaudit Read XDM pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_read_xdm_pid',`
+ gen_require(`
+ type xdm_var_run_t;
+ ')
+
+ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
+ dontaudit $1 xdm_var_run_t:file read_file_perms;
')
########################################
@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
+## Read inherited XDM var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_inherited_xdm_lib_files',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
- allow $1 xserver_log_t:file getattr;
+ allow $1 xserver_log_t:file getattr_file_perms;
')
########################################
@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
- dontaudit $1 xserver_log_t:file { append write };
+ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
')
########################################
@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
+## Read xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+## Manage xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
## Read xdm temporary files.
## </summary>
## <param name="domain">
@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
- files_search_tmp($1)
+ files_search_tmp($1)
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_relabel_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
- dontaudit $1 xdm_tmp_t:sock_file getattr;
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
- allow $1 xserver_t:process siginh;
+ allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
')
########################################
@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver_t $1:shm rw_shm_perms;
+')
+
+######################################
+## <summary>
+## Dontaudit attempts to connect to xserver
+## over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_stream_connect',`
+ gen_require(`
+ type xserver_t, xserver_tmp_t;
+ ')
+
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
')
########################################
@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
-## virtual core keyboard and virtual core pointer devices.
+## virtual core keyboard and virtual core pointer devices.
## </summary>
## <param name="domain">
## <summary>
@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
- type xserver_t;
+ type xserver_t, root_xdrawable_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
+ attribute x_domain;
+ class x_drawable { read manage setattr show };
+ class x_resource { write read };
')
allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ allow $1 xserver_t:{ x_screen } setattr;
+
+ allow $1 x_domain:x_drawable { read manage setattr show };
+ allow $1 x_domain:x_resource { write read };
+ allow $1 root_xdrawable_t:x_drawable { manage read };
')
########################################
@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
- attribute x_domain;
- attribute xserver_unconfined_type;
+ attribute x_domain, xserver_unconfined_type;
')
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Dontaudit append to .xsession-errors file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t;
+ ')
+
+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## append to .xsession-errors file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_append_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t, xserver_tmp_t;
+ ')
+
+ allow $1 xdm_home_t:file append_file_perms;
+ allow $1 xserver_tmp_t:file append_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Allow search the xdm_spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_search_spool',`
+ gen_require(`
+ type xdm_spool_t;
+ ')
+
+ files_search_spool($1)
+ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+######################################
+## <summary>
+## Allow read the xdm_spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_read_spool',`
+ gen_require(`
+ type xdm_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+## Manage the xdm_spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_manage_spool',`
+ gen_require(`
+ type xdm_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow append the xdm
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_append_log',`
+ gen_require(`
+ type xdm_log_t;
+ attribute xdmhomewriter;
+ ')
+
+ typeattribute $1 xdmhomewriter;
+ allow $1 xdm_log_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ # Read .Iceauthority file
+ allow $1 iceauth_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read/write inherited user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ allow $1 user_fonts_t:file rw_inherited_file_perms;
+ allow $1 user_fonts_t:file read_lnk_file_perms;
+
+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+ gen_require(`
+ type xserver_exec_t;
+ ')
+
+ domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ xserver_domtrans($1)
+ role $2 types xserver_t;
+')
+
+########################################
+## <summary>
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run_xauth',`
+ gen_require(`
+ type xauth_t;
+ ')
+
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
+')
+
+########################################
+## <summary>
+## Read user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_read_home_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ read_files_pattern($1, user_fonts_t, user_fonts_t)
+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
+
+########################################
+## <summary>
+## Manage user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
+ ')
+
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+
+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
+
+########################################
+## <summary>
+## Transition to xserver named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_filetrans_home_content',`
+ gen_require(`
+ type xdm_home_t, xauth_home_t, iceauth_home_t;
+ type user_home_t, user_fonts_t, user_fonts_cache_t;
+ type user_fonts_config_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
+')
+
+########################################
+## <summary>
+## Create xserver content in admin home
+## directory with a named file transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_filetrans_admin_home_content',`
+ gen_require(`
+ type xdm_home_t, xauth_home_t, iceauth_home_t;
+ type user_home_t, user_fonts_t, user_fonts_cache_t;
+ type user_fonts_config_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 143c893..60e0e2d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
#
## <desc>
-## <p>
-## Allows clients to write to the X server shared
-## memory segments.
-## </p>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
## </desc>
gen_tunable(allow_write_xshm, false)
## <desc>
+## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem, false)
+
+## <desc>
## <p>
-## Allow xdm logins as sysadm
+## Allow the graphical login program to execute bootloader
## </p>
## </desc>
+gen_tunable(xdm_exec_bootloader, false)
+
+## <desc>
+## <p>
+## Allow the graphical login program to login directly as sysadm_r:sysadm_t
+## </p>
+## </desc>
gen_tunable(xdm_sysadm_login, false)
## <desc>
-## <p>
-## Support X userspace object manager
-## </p>
+## <p>
+## Support X userspace object manager
+## </p>
## </desc>
gen_tunable(xserver_object_manager, false)
+## <desc>
+## <p>
+## Allow regular users direct dri device access
+## </p>
+## </desc>
+gen_tunable(user_direct_dri, false)
+
+attribute xdmhomewriter;
+attribute x_userdomain;
attribute x_domain;
# X Events
@@ -109,21 +132,25 @@ xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
userdom_user_home_content(user_fonts_cache_t)
type user_fonts_config_t;
typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
userdom_user_home_content(user_fonts_config_t)
type iceauth_t;
type iceauth_exec_t;
typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { xguest_iceauth_t };
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
@@ -131,22 +158,26 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+typealias iceauth_home_t alias { xguest_iceauth_home_t };
userdom_user_home_content(iceauth_home_t)
type xauth_t;
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
application_domain(xauth_t, xauth_exec_t)
ubac_constrained(xauth_t)
type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
@@ -161,15 +192,21 @@ type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
-init_daemon_domain(xdm_t, xdm_exec_t)
+init_system_domain(xdm_t, xdm_exec_t)
xserver_object_types_template(xdm)
xserver_common_x_domain_template(xdm, xdm_t)
type xdm_lock_t;
files_lock_file(xdm_lock_t)
+type xdm_etc_t;
+files_config_file(xdm_etc_t)
+
type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
+files_config_file(xdm_rw_etc_t)
+
+type xdm_spool_t;
+files_spool_file(xdm_spool_t)
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
@@ -177,13 +214,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
-typealias xdm_tmp_t alias ice_tmp_t;
+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ubac_constrained(xdm_tmp_t)
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
+type xdm_home_t;
+userdom_user_home_content(xdm_home_t)
+
+type xdm_log_t;
+logging_log_file(xdm_log_t)
+
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
@@ -196,15 +247,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
-type xserver_tmp_t;
-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
-
type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
+dev_read_rand(iceauth_t)
+
fs_search_auto_mountpoints(iceauth_t)
-userdom_use_user_terminals(iceauth_t)
+userdom_use_inherited_user_terminals(iceauth_t)
userdom_read_user_tmp_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_files(iceauth_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
@@ -247,52 +299,113 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+ fs_dontaudit_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
+
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
+ ')
+')
+
########################################
#
# Xauth local policy
#
+allow xauth_t self:capability dac_override;
allow xauth_t self:process signal;
+allow xauth_t self:shm create_shm_perms;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+allow xauth_t self:unix_dgram_socket create_socket_perms;
+
+allow xauth_t xdm_t:process sigchld;
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_xserver_port(xauth_t)
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+kernel_read_network_state(xauth_t)
+kernel_read_system_state(xauth_t)
kernel_request_load_module(xauth_t)
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
-fs_getattr_xattr_fs(xauth_t)
+fs_dontaudit_leaks(xauth_t)
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-# cjp: why?
-term_use_ptmx(xauth_t)
+# Probably a leak
+term_dontaudit_use_ptmx(xauth_t)
+term_dontaudit_use_console(xauth_t)
auth_use_nsswitch(xauth_t)
-userdom_use_user_terminals(xauth_t)
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
xserver_rw_xdm_tmp_files(xauth_t)
+ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+ fs_dontaudit_list_inotifyfs(xauth_t)
+ userdom_manage_user_home_content_files(xauth_t)
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_files(xauth_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(xauth_t)
+ fs_read_nfs_symlinks(xauth_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(xauth_t)
')
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
+')
+
+optional_policy(`
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
@@ -304,20 +417,36 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file)
+xserver_filetrans_home_content(xdm_t)
+xserver_filetrans_admin_home_content(xdm_t)
+
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
+userdom_signull_unpriv_users(xdm_t)
+userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
+read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
# wdm has its own config dir /etc/X11/wdm
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+can_exec(xdm_t, xdm_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
+files_search_spool(xdm_t)
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
-allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:process { signal signull };
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
+
+ps_process_pattern(xserver_t, xdm_t)
allow xserver_t xdm_t:process signal;
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
+read_files_pattern(xdm_t, xserver_t, xserver_t)
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
kernel_read_system_state(xdm_t)
+kernel_read_device_sysctls(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
+corecmd_dontaudit_access_check_bin(xdm_t)
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
+corenet_udp_bind_ipp_port(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+dev_rwx_zero(xdm_t)
dev_read_rand(xdm_t)
-dev_read_sysfs(xdm_t)
+dev_rw_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
dev_setattr_framebuffer_dev(xdm_t)
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
dev_setattr_xserver_misc_dev(xdm_t)
+dev_rw_xserver_misc(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
-dev_getattr_video_dev(xdm_t)
+dev_read_video_dev(xdm_t)
+dev_write_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)
+domain_dontaudit_getattr_all_entry_files(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
@@ -435,9 +603,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
+files_dontaudit_getattr_boot_dirs(xdm_t)
+files_dontaudit_write_usr_files(xdm_t)
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_dontaudit_list_noxattr_fs(xdm_t)
+fs_dontaudit_read_noxattr_fs_files(xdm_t)
+fs_manage_cgroup_dirs(xdm_t)
+fs_manage_cgroup_files(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
@@ -446,28 +628,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_dontaudit_rw_fuse(xdm_t)
term_setattr_console(xdm_t)
+term_use_console(xdm_t)
+term_use_virtio_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
# Run telinit->init to shutdown.
init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
+miscfiles_search_man_pages(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
+miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
+
+application_signal(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
+xserver_domtrans_xauth(xdm_t)
+
+ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(xdm_t)
+ fs_manage_fusefs_files(xdm_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
+optional_policy(`
+ tunable_policy(`xdm_exec_bootloader',`
+ bootloader_exec(xdm_t)
+ files_read_boot_files(xdm_t)
+ files_read_boot_symlinks(xdm_t)
+ ')
+')
+
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
+ accountsd_read_lib_files(xdm_t)
+')
+
+optional_policy(`
+ acct_dontaudit_list_data(xdm_t)
+')
+
+optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
optional_policy(`
consolekit_dbus_chat(xdm_t)
+ consolekit_read_log(xdm_t)
')
optional_policy(`
@@ -519,12 +749,63 @@ optional_policy(`
')
optional_policy(`
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
+ #fixes for xfce4-notifyd
+ allow xdm_dbusd_t self:unix_stream_socket connectto;
+ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
+
+ miscfiles_read_fonts(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
+ dbus_system_bus_client(xdm_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
+ gnome_exec_keyringd(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ gnome_filetrans_home_content(xdm_t)
+ gnome_read_config(xdm_t)
+ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+ gnome_transition_gkeyringd(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
@@ -542,28 +823,69 @@ optional_policy(`
')
optional_policy(`
+ policykit_dbus_chat(xdm_t)
+ policykit_domtrans_auth(xdm_t)
+ policykit_read_lib(xdm_t)
+ policykit_read_reload(xdm_t)
+ policykit_signal_auth(xdm_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ plymouthd_search_spool(xdm_t)
+ plymouthd_exec_plymouth(xdm_t)
+ plymouthd_stream_connect(xdm_t)
+ plymouthd_read_log(xdm_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
+ pulseaudio_stream_connect(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
optional_policy(`
+ rhev_stream_connect_agentd(xdm_t)
+ rhev_read_pid_files_agentd(xdm_t)
+')
+
+# On crash gdm execs gdb to dump stack
+optional_policy(`
+ rpm_exec(xdm_t)
+ rpm_read_db(xdm_t)
+ rpm_dontaudit_manage_db(xdm_t)
+ rpm_dontaudit_dbus_chat(xdm_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
optional_policy(`
- udev_read_db(xdm_t)
+ ssh_signull(xdm_t)
')
optional_policy(`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
+ shutdown_domtrans(xdm_t)
+')
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
+optional_policy(`
+ udev_read_db(xdm_t)
+')
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
+optional_policy(`
+ unconfined_signal(xdm_t)
')
optional_policy(`
@@ -575,6 +897,14 @@ optional_policy(`
')
optional_policy(`
+ vdagent_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ wm_exec(xdm_t)
+')
+
+optional_policy(`
xfs_stream_connect(xdm_t)
')
@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
+
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
-allow xserver_t xauth_home_t:file read_file_perms;
+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
+
+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t, file)
+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
+kernel_request_load_module(xserver_t)
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
-dev_filetrans_dri(xserver_t)
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
+dev_read_raw_memory(xserver_t)
+dev_write_raw_memory(xserver_t)
dev_rwx_zero(xserver_t)
+domain_dontaudit_read_all_domains_state(xserver_t)
+domain_signal_all_domains(xserver_t)
+
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
+files_rw_tmpfs_files(xserver_t)
# brought on by rhgb
files_search_mnt(xserver_t)
@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
+fs_rw_tmpfs_files(xserver_t)
mls_xwin_read_to_clearance(xserver_t)
+mls_process_write_to_clearance(xserver_t)
+mls_file_read_to_clearance(xserver_t)
+mls_file_write_all_levels(xserver_t)
+mls_file_upgrade(xserver_t)
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
@@ -711,8 +1066,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
-getty_use_fds(xserver_t)
-
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
-
-modutils_domtrans_insmod(xserver_t)
+miscfiles_read_hwdata(xserver_t)
# read x_contexts
seutil_read_default_contexts(xserver_t)
+seutil_read_config(xserver_t)
+seutil_read_file_contexts(xserver_t)
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
@@ -778,16 +1132,40 @@ optional_policy(`
')
optional_policy(`
+ consolekit_read_state(xserver_t)
+')
+
+optional_policy(`
+ devicekit_signal_power(xserver_t)
+')
+
+optional_policy(`
+ getty_use_fds(xserver_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(xserver_t)
+')
+
+optional_policy(`
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
optional_policy(`
+ setrans_translate_context(xserver_t)
+')
+
+optional_policy(`
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
udev_read_db(xserver_t)
')
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
@@ -796,6 +1174,10 @@ optional_policy(`
')
optional_policy(`
+ wine_rw_shm(xserver_t)
+')
+
+optional_policy(`
xfs_stream_connect(xserver_t)
')
@@ -811,10 +1193,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
-allow xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xserver_t xdm_var_lib_t:dir search;
+allow xserver_t xdm_var_lib_t:file read_file_perms;
+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -822,7 +1204,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@@ -835,6 +1217,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
+userdom_read_all_users_state(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
@@ -842,6 +1227,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(xserver_t)
+ fs_manage_fusefs_files(xserver_t)
+')
+
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
@@ -850,11 +1240,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
- hal_dbus_chat(xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(xserver_t)
+ ')
')
optional_policy(`
- resmgr_stream_connect(xdm_t)
+ mono_rw_shm(xserver_t)
')
optional_policy(`
@@ -862,6 +1255,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
+optional_policy(`
+ userhelper_search_config(xserver_t)
+')
+
########################################
#
# Rules common to all X window domains
@@ -905,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-allow x_domain self:x_drawable { blend };
+allow x_domain self:x_drawable blend;
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -959,11 +1356,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+allow x_domain xserver_t:x_screen getattr;
+
########################################
#
# Rules for unconfined access to this module
#
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
+allow xserver_unconfined_type x_domain:x_gc *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
+allow xserver_unconfined_type xproperty_type:x_property *;
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type x_domain:x_cursor *;
+allow xserver_unconfined_type x_domain:x_client *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@@ -985,18 +1402,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
-allow xserver_unconfined_type xserver_t:x_server *;
-allow xserver_unconfined_type xdrawable_type:x_drawable *;
-allow xserver_unconfined_type xserver_t:x_screen *;
-allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type xcolormap_type:x_colormap *;
-allow xserver_unconfined_type xproperty_type:x_property *;
-allow xserver_unconfined_type xselection_type:x_selection *;
-allow xserver_unconfined_type x_domain:x_cursor *;
-allow xserver_unconfined_type x_domain:x_client *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+tunable_policy(`allow_xserver_execmem',`
+ allow xserver_t self:process { execheap execmem execstack };
+')
+
+# Hack to handle the problem of using the nvidia blobs
+tunable_policy(`allow_execmem',`
+ allow xdm_t self:process execmem;
+')
+
+tunable_policy(`allow_execstack',`
+ allow xdm_t self:process { execstack execmem };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files(xdmhomewriter)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files(xdmhomewriter)
+')
+
+optional_policy(`
+ unconfined_rw_shm(xserver_t)
+ unconfined_execmem_rw_shm(xserver_t)
+
+ # xserver signals unconfined user on startx
+ unconfined_signal(xserver_t)
+ unconfined_getpgid(xserver_t)
+')
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
index 664cd7a..e3eaec5 100644
--- a/policy/modules/services/zabbix.fc
+++ b/policy/modules/services/zabbix.fc
@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
-/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_t,s0)
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index c9981d1..11013a6 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run zabbix.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`zabbix_domtrans',`
@@ -65,9 +65,9 @@ interface(`zabbix_read_log',`
## zabbix log files.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`zabbix_append_log',`
@@ -110,7 +110,7 @@ interface(`zabbix_read_pid_files',`
#
interface(`zabbix_agent_tcp_connect',`
gen_require(`
- type zabbix_agent_t;
+ type zabbix_t, zabbix_agent_t;
')
corenet_sendrecv_zabbix_agent_client_packets($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 7f88f5f..bd6493d 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -36,16 +36,17 @@ files_pid_file(zabbix_var_run_t)
# zabbix local policy
#
-allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
-allow zabbix_t self:process { setsched getsched signal };
+allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+allow zabbix_t self:process setsched;
+allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
allow zabbix_t self:sem create_sem_perms;
allow zabbix_t self:shm create_shm_perms;
allow zabbix_t self:tcp_socket create_stream_socket_perms;
# log files
-allow zabbix_t zabbix_log_t:dir setattr;
+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
@@ -58,11 +59,15 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+kernel_read_kernel_sysctls(zabbix_t)
+
corenet_tcp_bind_generic_node(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
files_read_etc_files(zabbix_t)
+auth_use_nsswitch(zabbix_t)
+
miscfiles_read_localization(zabbix_t)
sysnet_dns_name_resolve(zabbix_t)
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
index 3defaa1..2ad2488 100644
--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
@@ -8,7 +8,8 @@
/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
index 21ae664..3e448dd 100644
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
@@ -42,6 +42,8 @@ template(`zarafa_domain_template',`
manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+
+ auth_use_nsswitch(zarafa_$1_t)
')
######################################
@@ -118,3 +120,24 @@ interface(`zarafa_stream_connect_server',`
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
+
+####################################
+## <summary>
+## Allow the specified domain to manage
+## zarafa /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zarafa_manage_lib_files',`
+ gen_require(`
+ type zarafa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
index 9fb4747..6e2c42a 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
zarafa_domain_template(gateway)
zarafa_domain_template(ical)
zarafa_domain_template(indexer)
+
+type zarafa_indexer_tmp_t;
+files_tmp_file(zarafa_indexer_tmp_t)
+
zarafa_domain_template(monitor)
zarafa_domain_template(server)
@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+dev_read_rand(zarafa_deliver_t)
+
########################################
#
# zarafa_gateway local policy
@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
+######################################
+#
+# zarafa-indexer local policy
+#
+
+allow zarafa_indexer_t self:capability chown;
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
#######################################
#
# zarafa-ical local policy
@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
-logging_send_syslog_msg(zarafa_server_t)
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+dev_read_rand(zarafa_spooler_t)
+
+########################################
+#
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
+dev_read_rand(zarafa_gateway_t)
+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
+#
+# zarafa-ical local policy
+#
+
+allow zarafa_ical_t self:capability chown;
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+allow zarafa_monitor_t self:capability chown;
+
########################################
#
# zarafa domains local policy
@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
-auth_use_nsswitch(zarafa_domain)
+logging_send_syslog_msg(zarafa_domain)
miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..347f754 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
')
files_search_pids($1)
- allow $1 zebra_var_run_t:sock_file write;
- allow $1 zebra_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
########################################
@@ -62,8 +61,7 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
- type zebra_conf_t, zebra_var_run_t;
- type zebra_initrc_exec_t;
+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
allow $1 zebra_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index ade6c2c..2b78f0d 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -6,11 +6,10 @@ policy_module(zebra, 1.12.0)
#
## <desc>
-## <p>
-## Allow zebra daemon to write it configuration files
-## </p>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
## </desc>
-#
gen_tunable(allow_zebra_write_config, false)
type zebra_t;
@@ -18,7 +17,7 @@ type zebra_exec_t;
init_daemon_domain(zebra_t, zebra_exec_t)
type zebra_conf_t;
-files_type(zebra_conf_t)
+files_config_file(zebra_conf_t)
type zebra_initrc_exec_t;
init_script_file(zebra_initrc_exec_t)
@@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
-allow zebra_t zebra_log_t:dir setattr;
+allow zebra_t zebra_log_t:dir setattr_dir_perms;
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 702e768..13f0eef 100644
--- a/policy/modules/services/zosremote.if
+++ b/policy/modules/services/zosremote.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run audispd-zos-remote.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`zosremote_domtrans',`
@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`zosremote_run',`
gen_require(`
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
index f9a06d2..3d407c6 100644
--- a/policy/modules/services/zosremote.te
+++ b/policy/modules/services/zosremote.te
@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
#
allow zos_remote_t self:process signal;
-allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index 1b6619e..c480ddd 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@@ -205,3 +205,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
+
+#######################################
+## <summary>
+## Getattr all application sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`application_getattr_socket',`
+ gen_require(`
+ attribute application_domain_type;
+ ')
+
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
index c6fdab7..41198a4 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
@@ -6,6 +6,24 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
+domain_use_interactive_fds(application_domain_type)
+
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
+
+files_dontaudit_search_all_dirs(application_domain_type)
+
+optional_policy(`
+ afs_rw_udp_sockets(application_domain_type)
+')
+
+optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
+ cron_sigchld(application_domain_type)
+')
+
optional_policy(`
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 28ad538..59742f4 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -5,6 +5,7 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 73554ec..f05a80f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
auth_exec_pam($1)
auth_use_nsswitch($1)
+ init_rw_stream_sockets($1)
+
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
@@ -80,6 +82,12 @@ interface(`auth_use_pam',`
optional_policy(`
nis_authenticate($1)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1)
+ systemd_use_fds_logind($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
+ ')
')
########################################
@@ -95,9 +103,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
+ attribute polydomain;
')
domain_type($1)
+ typeattribute $1 polydomain;
+
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
@@ -105,14 +116,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
+ corecmd_getattr_all_executables($1)
domain_kill_all_domains($1)
# pam_keyring
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
files_list_var_lib($1)
+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
@@ -123,13 +137,19 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
+ tunable_policy(`authlogin_radius',`
+ corenet_udp_bind_all_unreserved_ports($1)
+ ')
+
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
- files_read_etc_files($1)
+ files_read_config_files($1)
fs_list_auto_mountpoints($1)
+ fs_manage_cgroup_dirs($1)
+ fs_manage_cgroup_files($1)
selinux_get_fs_mount($1)
selinux_validate_context($1)
@@ -145,6 +165,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
+ auth_manage_faillog($1)
+ auth_manage_pam_pid($1)
auth_use_pam($1)
init_rw_utmp($1)
@@ -155,9 +177,84 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
- tunable_policy(`allow_polyinstantiation',`
- files_polyinstantiate_all($1)
+ userdom_set_rlimitnh($1)
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
+ userdom_stream_connect($1)
+ userdom_manage_user_tmp_files($1)
+
+ optional_policy(`
+ afs_rw_udp_sockets($1)
+ ')
+
+ optional_policy(`
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
+ ')
+
+ optional_policy(`
+ openct_stream_connect($1)
+ openct_signull($1)
+ openct_read_pid_files($1)
+ ')
+
+ optional_policy(`
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authlogin_read_state',`
+ gen_require(`
+ attribute polydomain;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, polydomain)
+')
+
+########################################
+## <summary>
+## Read and write a authlogin unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -368,13 +465,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
- pcscd_read_pub_files($1)
+ pcscd_manage_pub_files($1)
+ pcscd_manage_pub_pipes($1)
pcscd_stream_connect($1)
')
optional_policy(`
samba_stream_connect_winbind($1)
')
+ auth_domtrans_upd_passwd($1)
')
########################################
@@ -421,6 +520,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
+ auth_run_upd_passwd($1, $2)
+')
+
+########################################
+## <summary>
+## Send generic signals to chkpwd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_signal_chk_passwd',`
+ gen_require(`
+ type chkpwd_t;
+ ')
+
+ allow $1 chkpwd_t:process signal;
')
########################################
@@ -736,7 +854,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
- allow $1 faillog_t:file rw_file_perms;
+ rw_files_pattern($1, faillog_t, faillog_t)
+')
+
+########################################
+## <summary>
+## Relabel the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ allow $1 faillog_t:dir relabel_dir_perms;
+ allow $1 faillog_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Manage the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ logging_search_logs($1)
+ files_search_pids($1)
+ allow $1 faillog_t:dir manage_dir_perms;
+ allow $1 faillog_t:file manage_file_perms;
')
#######################################
@@ -932,9 +1090,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
- allow $1 var_auth_t:dir manage_dir_perms;
- allow $1 var_auth_t:file rw_file_perms;
- allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
+
+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
+ manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
+')
+
+########################################
+## <summary>
+## Relabel all var auth files. Used by various other applications
+## and pam applets etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_var_auth_dirs',`
+ gen_require(`
+ type var_auth_t;
+ ')
+
+ files_search_var($1)
+ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
')
########################################
@@ -1387,6 +1566,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
+## Relabel login record files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file relabel_file_perms;
+')
+
+
+########################################
+## <summary>
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
@@ -1541,24 +1739,6 @@ interface(`auth_manage_login_records',`
########################################
## <summary>
-## Relabel login record files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_relabel_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- allow $1 wtmp_t:file relabel_file_perms;
-')
-
-########################################
-## <summary>
## Use nsswitch to look up user, password, group, or
## host information.
## </summary>
@@ -1578,54 +1758,11 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
-
- files_list_var_lib($1)
-
- # read /etc/nsswitch.conf
- files_read_etc_files($1)
-
- miscfiles_read_generic_certs($1)
-
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
- avahi_stream_connect($1)
- ')
-
- optional_policy(`
- ldap_stream_connect($1)
- ')
-
- optional_policy(`
- likewise_stream_connect_lsassd($1)
- ')
-
- optional_policy(`
- kerberos_use($1)
- ')
-
- optional_policy(`
- nis_use_ypbind($1)
- ')
-
- optional_policy(`
- nscd_socket_use($1)
- ')
-
- optional_policy(`
- nslcd_stream_connect($1)
- ')
-
- optional_policy(`
- sssd_stream_connect($1)
+ gen_require(`
+ attribute nsswitch_domain;
')
- optional_policy(`
- samba_stream_connect_winbind($1)
- samba_read_var_files($1)
- samba_dontaudit_write_var_files($1)
- ')
+ typeattribute $1 nsswitch_domain;
')
########################################
@@ -1659,3 +1796,33 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
+
+########################################
+## <summary>
+## Transition to authlogin named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authlogin_filetrans_named_content',`
+ gen_require(`
+ type shadow_t;
+ type faillog_t;
+ type wtmp_t;
+ ')
+
+ files_etc_filetrans($1, shadow_t, file, "shadow")
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
+ files_var_filetrans($1, shadow_t, file, "shadow")
+ files_var_filetrans($1, shadow_t, file, "shadow-")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
+ files_pid_filetrans($1, faillog_t, file, "faillog")
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b7a5f00..a53db2b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
# Declarations
#
+## <desc>
+## <p>
+## Allow users to login using a radius server
+## </p>
+## </desc>
+gen_tunable(authlogin_radius, false)
+
+## <desc>
+## <p>
+## Allow users to login using a sssd server
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_ldap, false)
+
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute polydomain;
+attribute nsswitch_domain;
type auth_cache_t;
logging_log_file(auth_cache_t)
@@ -100,6 +116,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
+files_read_usr_symlinks(chkpwd_t)
+files_list_tmp(chkpwd_t)
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
@@ -118,7 +136,7 @@ miscfiles_read_localization(chkpwd_t)
seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
-userdom_use_user_terminals(chkpwd_t)
+userdom_use_inherited_user_terminals(chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -343,7 +361,7 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
-userdom_use_user_terminals(updpwd_t)
+userdom_use_inherited_user_terminals(updpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -371,13 +389,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
+auth_use_nsswitch(utempter_t)
+
init_rw_utmp(utempter_t)
domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
-userdom_use_user_terminals(utempter_t)
+userdom_use_inherited_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
@@ -388,10 +408,71 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
- nscd_socket_use(utempter_t)
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
+')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(polydomain)
')
optional_policy(`
- xserver_use_xdm_fds(utempter_t)
- xserver_rw_xdm_pipes(utempter_t)
+ tunable_policy(`allow_polyinstantiation',`
+ namespace_init_domtrans(polydomain)
+ ')
+')
+
+# read /etc/nsswitch.conf
+files_read_etc_files(nsswitch_domain)
+
+sysnet_dns_name_resolve(nsswitch_domain)
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ files_list_var_lib(nsswitch_domain)
+
+ miscfiles_read_generic_certs(nsswitch_domain)
+ sysnet_use_ldap(nsswitch_domain)
+')
+
+optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ dirsrv_stream_connect(nsswitch_domain)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ ldap_stream_connect(nsswitch_domain)
+ ')
+')
+
+optional_policy(`
+ likewise_stream_connect_lsassd(nsswitch_domain)
+')
+
+# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
+optional_policy(`
+ kerberos_use(nsswitch_domain)
+')
+
+optional_policy(`
+ nis_use_ypbind(nsswitch_domain)
+')
+
+optional_policy(`
+ nscd_use(nsswitch_domain)
+')
+
+optional_policy(`
+ nslcd_stream_connect(nsswitch_domain)
+')
+
+optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
+')
+
+optional_policy(`
+ samba_stream_connect_winbind(nsswitch_domain)
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
')
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index e2f6d93..c78ccc6 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`
########################################
## <summary>
+## Read clock drift adjustments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clock_read_adjtime',`
+ gen_require(`
+ type adjtime_t;
+ ')
+
+ allow $1 adjtime_t:file read_file_perms;
+ files_list_etc($1)
+')
+
+########################################
+## <summary>
## Read and write clock drift adjustments.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index b9ed25b..39e1dc1 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -46,11 +46,13 @@ fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_ttys(hwclock_t)
-term_use_all_ttys(hwclock_t)
-term_use_all_ptys(hwclock_t)
+term_use_all_inherited_ttys(hwclock_t)
+term_use_all_inherited_ptys(hwclock_t)
domain_use_interactive_fds(hwclock_t)
+auth_use_nsswitch(hwclock_t)
+
init_use_fds(hwclock_t)
init_use_script_ptys(hwclock_t)
@@ -65,10 +67,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(hwclock_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(hwclock_t)
')
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index ce3e676..0158314 100644
--- a/policy/modules/system/daemontools.if
+++ b/policy/modules/system/daemontools.if
@@ -210,3 +210,4 @@ interface(`daemontools_manage_svc',`
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
')
+
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
index dcc5f1c..5610417 100644
--- a/policy/modules/system/daemontools.te
+++ b/policy/modules/system/daemontools.te
@@ -38,7 +38,10 @@ files_type(svc_svc_t)
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+term_write_console(svc_multilog_t)
+
init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
# writes to /var/log/*/*
logging_manage_generic_logs(svc_multilog_t)
@@ -69,6 +72,8 @@ dev_read_urand(svc_run_t)
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
+term_write_console(svc_run_t)
+
files_read_etc_files(svc_run_t)
files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
@@ -99,17 +104,28 @@ allow svc_start_t self:unix_stream_socket create_socket_perms;
can_exec(svc_start_t, svc_start_exec_t)
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+
kernel_read_kernel_sysctls(svc_start_t)
kernel_read_system_state(svc_start_t)
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
files_read_etc_files(svc_start_t)
files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
+logging_send_syslog_msg(svc_start_t)
+
+miscfiles_read_localization(svc_start_t)
+
daemontools_domtrans_run(svc_start_t)
daemontools_manage_svc(svc_start_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index a97a096..ab1e16a 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -23,7 +22,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -36,6 +34,8 @@
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index c28da1c..38390f5 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
allow fsadm_t fsadm_tmp_t:file manage_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+files_create_boot_flag(fsadm_t)
+files_setattr_root_dirs(fsadm_t)
# log files
allow fsadm_t fsadm_log_t:dir setattr;
@@ -101,6 +103,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
+# /etc/mtab is a link
+files_read_etc_runtime_files(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
@@ -120,6 +124,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
+fs_manage_nfs_files(fsadm_t)
+fs_manage_cifs_files(fsadm_t)
+fs_rw_hugetlbfs_files(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
@@ -133,10 +140,12 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
+storage_rw_fuse(fsadm_t)
storage_swapon_fixed_disk(fsadm_t)
term_use_console(fsadm_t)
+init_read_state(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
@@ -147,7 +156,7 @@ miscfiles_read_localization(fsadm_t)
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
+term_use_all_inherited_terms(fsadm_t)
ifdef(`distro_redhat',`
optional_policy(`
@@ -166,6 +175,11 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dontaudit_read_pid_files(fsadm_t)
+ devicekit_dontaudit_rw_log(fsadm_t)
+')
+
+optional_policy(`
hal_dontaudit_write_log(fsadm_t)
')
@@ -192,6 +206,10 @@ optional_policy(`
')
optional_policy(`
+ virt_read_blk_images(fsadm_t)
+')
+
+optional_policy(`
xen_append_log(fsadm_t)
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index ede3231..c8c15bd 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
+term_use_console(getty_t)
auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
@@ -125,10 +127,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(getty_t)
-')
-
-optional_policy(`
ppp_domtrans(getty_t)
')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index c310775..d172193 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -23,29 +23,34 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
+kernel_read_network_state(hostname_t)
dev_read_sysfs(hostname_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(hostname_t)
+domain_dontaudit_leaks(hostname_t)
domain_use_interactive_fds(hostname_t)
files_read_etc_files(hostname_t)
+files_dontaudit_leaks(hostname_t)
files_dontaudit_search_var(hostname_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_leaks(hostname_t)
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-term_use_all_ttys(hostname_t)
-term_use_all_ptys(hostname_t)
+term_use_all_inherited_ttys(hostname_t)
+term_use_all_inherited_ptys(hostname_t)
init_use_fds(hostname_t)
init_use_script_fds(hostname_t)
init_use_script_ptys(hostname_t)
+init_rw_inherited_script_tmp_files(hostname_t)
logging_send_syslog_msg(hostname_t)
@@ -55,6 +60,10 @@ sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
optional_policy(`
+ mock_dontaudit_write_lib_chr_files(hostname_t)
+')
+
+optional_policy(`
nis_use_ypbind(hostname_t)
')
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index 40eb10c..2a0a32c 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',`
#
interface(`hotplug_exec',`
gen_require(`
- type hotplug_t;
+ type hotplug_exec_t;
')
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 1a3d970..ba2f286 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t)
# kernel threads inherit from shared descriptor table used by init
init_dontaudit_rw_initctl(hotplug_t)
+auth_use_nsswitch(hotplug_t)
+
logging_send_syslog_msg(hotplug_t)
logging_search_logs(hotplug_t)
@@ -164,14 +166,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(hotplug_t)
-')
-
-optional_policy(`
- nscd_socket_use(hotplug_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(hotplug_t)
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 354ce93..b8b14b9 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
+
+#
+# systemd init scripts
+#
+/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
+/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
+
+#
+# /sbin
+#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+# for Fedora
+/lib/upstart/init -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', `
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
#
# /var
@@ -76,3 +94,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 94fd8dd..b5e5c70 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
')
+
+#######################################
+## <summary>
+## Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_systemd_domain',`
+ gen_require(`
+ type init_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ tunable_policy(`init_systemd',`
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_stream_socket ioctl;
+ allow $1 init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket($1)
+ ')
+')
+
########################################
## <summary>
## Create a domain which can be started by init.
@@ -105,7 +143,11 @@ interface(`init_domain',`
role system_r types $1;
- domtrans_pattern(init_t, $2, $1)
+ tunable_policy(`init_systemd',`', `
+ domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -193,8 +235,10 @@ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
+ type init_t;
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
')
typeattribute $1 daemon;
@@ -202,39 +246,20 @@ interface(`init_daemon_domain',`
domain_type($1)
domain_entry_file($1, $2)
- role system_r types $1;
-
- domtrans_pattern(initrc_t, $2, $1)
-
- # daemons started from init will
- # inherit fds from init for the console
- init_dontaudit_use_fds($1)
- term_dontaudit_use_console($1)
-
- # init script ptys are the stdin/out/err
- # when using run_init
- init_use_script_ptys($1)
+ domtrans_pattern(initrc_t,$2,$1)
ifdef(`direct_sysadm_daemon',`
domtrans_pattern(direct_run_init, $2, $1)
- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
typeattribute $1 direct_init;
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
+# userdom_dontaudit_use_user_terminals($1)
')
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
-
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
')
')
@@ -283,17 +308,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
+ type init_t;
')
- init_daemon_domain($1, $2)
+# init_daemon_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
+ range_transition init_t $2:process $3;
')
')
@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
+ type init_t;
type initrc_t;
role system_r;
+ attribute initrc_transition_domain;
+ attribute systemprocess;
')
+ typeattribute $1 systemprocess;
application_domain($1, $2)
role system_r types $1;
- domtrans_pattern(initrc_t, $2, $1)
+ domtrans_pattern(initrc_t,$2,$1)
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
+ tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
')
')
@@ -401,20 +430,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
+ type init_t;
')
init_system_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
mls_rangetrans_target($1)
')
')
+######################################
+## <summary>
+## Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_dyntrans',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dyntrans_pattern($1, init_t)
+')
+
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
@@ -451,6 +501,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
+
+ tunable_policy(`init_systemd',`
+ systemd_exec_systemctl($1)
+ ')
')
########################################
@@ -509,6 +563,24 @@ interface(`init_sigchld',`
########################################
## <summary>
+## Send generic signals to init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signal',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process signal;
+')
+
+########################################
+## <summary>
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
@@ -519,10 +591,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
- type init_t;
+ type init_t, init_var_run_t;
')
- allow $1 init_t:unix_stream_socket connectto;
+ files_search_pids($1)
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ allow $1 init_t:unix_stream_socket getattr;
+')
+
+#######################################
+## <summary>
+## Dontaudit Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:unix_stream_socket connectto;
+')
+
+######################################
+## <summary>
+## Dontaudit getattr to init with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_stream_socket',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:unix_stream_socket getattr;
+')
+
+######################################
+## <summary>
+## Dontaudit read and write to init with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_stream_socket',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:unix_stream_socket { read write };
')
########################################
@@ -688,19 +816,25 @@ interface(`init_telinit',`
type initctl_t;
')
+ corecmd_exec_bin($1)
+
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
init_exec($1)
- tunable_policy(`init_upstart',`
+ tunable_policy(`init_upstart || init_systemd',`
gen_require(`
type init_t;
')
+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
+ #576913
+ allow $1 init_t:unix_stream_socket connectto;
')
')
@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
')
files_list_etc($1)
- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;
files_list_etc($1)
- domtrans_pattern($1, initrc_exec_t, initrc_t)
+ domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
')
+
+ corecmd_bin_domtrans($1, initrc_t)
')
########################################
@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;
+ # service script searches all filesystems via mountpoint
+ fs_search_all($1)
domtrans_pattern($1, $2, initrc_t)
+ allow $1 $2:file ioctl;
files_search_etc($1)
')
@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
+## Dontaudit getattr all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ dontaudit $1 init_script_file_type:file getattr;
+')
+
+#######################################
+## <summary>
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
- read_files_pattern($1, initrc_t, initrc_t)
- read_lnk_files_pattern($1, initrc_t, initrc_t)
- list_dirs_pattern($1, initrc_t, initrc_t)
-
- # should move this to separate interface
- allow $1 initrc_t:process getattr;
+ ps_process_pattern($1, initrc_t)
')
########################################
@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
+## init over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type init_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
## init scripts over dbus.
## </summary>
## <param name="domain">
@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
+## Manage init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read init script
## status files.
## </summary>
@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
+## Read and write init script inherited temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Create files in a init script
## temporary data directory.
## </summary>
@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',`
########################################
## <summary>
+## Do not audit attempts to read utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
+######################################
+## <summary>
+## Allow search directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+## Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+## Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+## Create objects in /run/systemd directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3)
+')
+
+#######################################
+## <summary>
+## Create objects in /run/systemd directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="object_name">
+## <summary>
+## The name of the object to be created.
+## </summary>
+## </param>
+#
+interface(`init_named_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
+
+########################################
+## <summary>
+## Transition to system_r when execute an init script
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ role_transition $1 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:tcp_socket { read write };
+ dontaudit $1 initrc_t:udp_socket { read write };
+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
+ dontaudit $1 initrc_t:unix_stream_socket { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
+ init_dontaudit_use_script_ptys($1)
+ init_dontaudit_use_script_fds($1)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to ioctl an
+## init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_ioctl_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket ioctl;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to write to
+## init sock file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Send a message to init over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dgram_send',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Send a message to init over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_send',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket sendto;
+')
+
+########################################
+## <summary>
+## Create a file type used for init socket files.
+## </summary>
+## <desc>
+## <p>
+## This defines a type that init can create sock_file within for
+## impersonation purposes
+## </p>
+## </desc>
+## <param name="script_file">
+## <summary>
+## Type to be used for a sock file.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_sock_file',`
+ gen_require(`
+ attribute init_sock_file_type;
+ ')
+
+ typeattribute $1 init_sock_file_type;
+
+')
+
+########################################
+## <summary>
+## Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_pipes',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29a9565..53f3bfe 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
## </desc>
gen_tunable(init_upstart, false)
+## <desc>
+## <p>
+## Enable support for systemd as the init program.
+## </p>
+## </desc>
+gen_tunable(init_systemd, false)
+
+## <desc>
+## <p>
+## Allow all daemons to use tcp wrappers.
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tcp_wrapper, false)
+
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -25,14 +53,18 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
+# Attribute used for systemd so domains can allow systemd to create sock_files
+attribute init_sock_file_type;
# Mark process types as daemons
attribute daemon;
+attribute systemprocess;
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
@@ -63,6 +95,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
+corecmd_bin_entry_type(initrc_t)
+corecmd_bin_domtrans(init_t, initrc_t)
type initrc_devpts_t;
term_pty(initrc_devpts_t)
@@ -87,7 +121,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -100,11 +134,16 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
-# For /var/run/shutdown.pid.
-allow init_t init_var_run_t:file manage_file_perms;
-files_pid_filetrans(init_t, init_var_run_t, file)
+manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
+allow init_t init_var_run_t:dir mounton;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
@@ -114,25 +153,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
+kernel_stream_connect(init_t)
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
+dev_read_urand(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
+dev_filetrans_all_named_dev(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t)
files_read_etc_files(init_t)
+files_read_all_pids(init_t)
+files_read_system_conf_files(init_t)
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
+files_read_etc_runtime_files(init_t)
files_manage_etc_runtime_files(init_t)
+files_manage_etc_symlinks(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
@@ -151,10 +199,19 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
+mls_socket_read_all_levels(init_t)
+mls_socket_write_all_levels(init_t)
+
+mls_rangetrans_source(initrc_t)
selinux_set_all_booleans(init_t)
+selinux_load_policy(init_t)
+selinux_mounton_fs(init_t)
+allow init_t security_t:security load_policy;
-term_use_all_terms(init_t)
+term_use_unallocated_ttys(init_t)
+term_use_console(init_t)
+term_use_all_inherited_terms(init_t)
# Run init scripts.
init_domtrans_script(init_t)
@@ -162,12 +219,16 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
+logging_send_audit_msgs(init_t)
logging_rw_generic_logs(init_t)
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
miscfiles_read_localization(init_t)
+allow init_t self:process setsched;
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
@@ -178,7 +239,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-tunable_policy(`init_upstart',`
+tunable_policy(`init_upstart || init_systemd',`
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+')
+
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
+ kernel_rw_kernel_sysctl(init_t)
+ kernel_rw_net_sysctls(init_t)
+ kernel_read_all_sysctls(init_t)
+ kernel_read_software_raid_state(init_t)
+ kernel_unmount_debugfs(init_t)
+ kernel_setsched(init_t)
+
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
+ dev_rw_lvm_control(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabel_generic_dev_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+ dev_relabel_sysfs_dirs(init_t)
+
+ files_search_all(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_delete_all_pids(init_t)
+ files_exec_generic_pid_files(init_t)
+ files_create_all_pid_pipes(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+ files_list_var(init_t)
+ files_create_lock_dirs(init_t)
+ files_relabel_all_lock_dirs(init_t)
+
+ fs_getattr_all_fs(init_t)
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_cgroup_files(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ fs_mount_all_fs(init_t)
+ fs_unmount_all_fs(init_t)
+ fs_remount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
+
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
+ selinux_unmount_fs(init_t)
+
+ storage_getattr_removable_dev(init_t)
+
+ term_relabel_ptys_dirs(init_t)
+
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
+
+ clock_read_adjtime(init_t)
+
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
+
+ systemd_exec_systemctl(init_t)
+ systemd_manage_unit_dirs(init_t)
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
+
+ # needs to remain
+ logging_create_devlog_dev(init_t)
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
+')
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
+')
+
optional_policy(`
- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
')
optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
+')
+
+optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
')
optional_policy(`
- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
@@ -203,6 +386,17 @@ optional_policy(`
')
optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+ udev_create_kobject_uevent_socket(init_t)
+')
+
+optional_policy(`
+ xserver_relabel_xdm_tmp_dirs(init_t)
+ xserver_manage_xdm_tmp_dirs(init_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
@@ -212,7 +406,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_manage_generic_pids_symlinks(initrc_t)
+files_create_var_run_dirs(initrc_t)
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
init_write_initctl(initrc_t)
@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
+kernel_request_load_module(initrc_t)
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
+kernel_stream_connect(initrc_t)
+files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
+files_read_var_lib_symlinks(initrc_t)
+files_setattr_pid_dirs(initrc_t)
files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+files_manage_system_conf_files(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
corecmd_exec_all_executables(initrc_t)
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-corenet_tcp_sendrecv_all_if(initrc_t)
-corenet_udp_sendrecv_all_if(initrc_t)
-corenet_tcp_sendrecv_all_nodes(initrc_t)
-corenet_udp_sendrecv_all_nodes(initrc_t)
+corenet_tcp_sendrecv_generic_if(initrc_t)
+corenet_udp_sendrecv_generic_if(initrc_t)
+corenet_tcp_sendrecv_generic_node(initrc_t)
+corenet_udp_sendrecv_generic_node(initrc_t)
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
+dev_filetrans_all_named_dev(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
selinux_get_enforce_mode(initrc_t)
@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
+auth_manage_faillog(initrc_t)
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
+userdom_read_admin_home_files(initrc_t)
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
alsa_read_lib(initrc_t)
')
@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
- kernel_dontaudit_use_fds(initrc_t)
+ kernel_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
+
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ devicekit_append_inherited_log_files(initrc_t)
+ ')
+
+ optional_policy(`
+ dirsrvadmin_read_config(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
+ ')
+
+ optional_policy(`
+ ldap_read_db_files(initrc_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
')
optional_policy(`
@@ -531,10 +784,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
+ optional_policy(`
+ rpcbind_stream_connect(initrc_t)
+ ')
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
+ sysnet_manage_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
+ sysnet_filetrans_named_content(initrc_t)
+ ')
+
+ optional_policy(`
+ wdmd_manage_pid_files(initrc_t)
')
optional_policy(`
@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
')
')
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_list_admin_dir(daemon)
+userdom_dontaudit_search_user_tmp(daemon)
+
+tunable_policy(`allow_daemons_use_tcp_wrapper',`
+ corenet_tcp_connect_auth_port(daemon)
+')
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_ttys(daemon)
+ term_use_all_ptys(daemon)
+',`
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_ttys(daemon)
+ term_dontaudit_use_all_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_manage_root_files(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream(daemon)
+ userdom_dontaudit_read_user_tmp_files(daemon)
+ userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -561,6 +859,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
+ # webmin seems to cause this.
+ apache_search_sys_content(daemon)
')
optional_policy(`
@@ -577,6 +877,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
+ domain_setpriority_all_domains(initrc_t)
')
optional_policy(`
@@ -589,6 +890,17 @@ optional_policy(`
')
optional_policy(`
+ chronyd_append_keys(initrc_t)
+ chronyd_read_keys(initrc_t)
+')
+
+optional_policy(`
+ cron_read_pipes(initrc_t)
+ # managing /etc/cron.d/mailman content
+ cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -605,9 +917,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ init_dbus_chat(initrc_t)
optional_policy(`
consolekit_dbus_chat(initrc_t)
+ consolekit_manage_log(initrc_t)
')
optional_policy(`
@@ -632,6 +948,10 @@ optional_policy(`
')
optional_policy(`
+ glance_manage_pid_files(initrc_t)
+')
+
+optional_policy(`
gpm_setattr_gpmctl(initrc_t)
')
@@ -649,6 +969,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
inn_exec_config(initrc_t)
')
@@ -689,6 +1014,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
+ lpd_manage_spool(init_t)
')
optional_policy(`
@@ -706,7 +1032,13 @@ optional_policy(`
')
optional_policy(`
+ milter_delete_dkim_pid_files(initrc_t)
+ milter_setattr_all_dirs(initrc_t)
+')
+
+optional_policy(`
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -729,6 +1061,10 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -738,10 +1074,20 @@ optional_policy(`
')
optional_policy(`
+ psad_setattr_fifo_file(initrc_t)
+ psad_setattr_log(initrc_t)
+ psad_write_log(initrc_t)
+')
+
+optional_policy(`
puppet_rw_tmp(initrc_t)
')
optional_policy(`
+ qpidd_manage_var_run(initrc_t)
+')
+
+optional_policy(`
quota_manage_flags(initrc_t)
')
@@ -750,6 +1096,10 @@ optional_policy(`
')
optional_policy(`
+ ricci_manage_lib_files(initrc_t)
+')
+
+optional_policy(`
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -771,8 +1121,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
- # why is this needed:
- rpm_manage_db(initrc_t)
')
optional_policy(`
@@ -790,10 +1138,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
+ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc, initrc_t, system_r)
')
+')
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -805,7 +1155,6 @@ optional_policy(`
')
optional_policy(`
- udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
@@ -815,11 +1164,26 @@ optional_policy(`
')
optional_policy(`
- virt_manage_svirt_cache(initrc_t)
+ virt_manage_cache(initrc_t)
+ virt_manage_lib_files(initrc_t)
+')
+
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
')
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
+ mcs_file_read_all(initrc_t)
+ mcs_file_write_all(initrc_t)
+ mcs_socket_write_all_levels(initrc_t)
+ mcs_killall(initrc_t)
+ mcs_ptrace_all(initrc_t)
+
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -829,6 +1193,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
+ optional_policy(`
+ gen_require(`
+ type unconfined_execmem_t, execmem_exec_t;
+ ')
+ init_system_domain(unconfined_execmem_t, execmem_exec_t)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(initrc_t)
+ ')
+')
+
+optional_policy(`
+ rpm_read_db(initrc_t)
+ rpm_delete_db(initrc_t)
')
optional_policy(`
@@ -844,6 +1227,10 @@ optional_policy(`
')
optional_policy(`
+ sanlock_manage_pid_files(initrc_t)
+')
+
+optional_policy(`
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -854,3 +1241,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
+
+userdom_inherit_append_user_home_content_files(daemon)
+userdom_inherit_append_user_tmp_files(daemon)
+userdom_dontaudit_rw_stream(daemon)
+
+logging_inherit_append_all_logs(daemon)
+
+optional_policy(`
+ # sudo service restart causes this
+ unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+ xserver_dontaudit_append_xdm_home_files(daemon)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(daemon)
+ ')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+ abrt_stream_connect(daemon)
+')
+
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
+
+optional_policy(`
+ firstboot_dontaudit_leaks(daemon)
+')
+
+init_rw_stream_sockets(daemon)
+
+allow init_t var_run_t:dir relabelto;
+
+init_stream_connect(initrc_t)
+
+allow initrc_t daemon:process siginh;
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
+
+tunable_policy(`init_systemd',`
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
+ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
+')
+
+# daemons started from init will
+# inherit fds from init for the console
+init_dontaudit_use_fds(daemon)
+term_dontaudit_use_console(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+allow init_t daemon:process siginh;
+
+ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds(daemon)
+ ')
+
+ dontaudit daemon init_t:dir search_dir_perms;
+')
+
+optional_policy(`
+ nscd_socket_use(daemon)
+')
+
+optional_policy(`
+ puppet_rw_tmp(daemon)
+')
+
+allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
+
+allow initrc_t systemprocess:process siginh;
+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow systemprocess initrc_transition_domain:fd use;
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+
+tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
+ dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
+')
+
+ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds(systemprocess)
+ ')
+')
+
+userdom_dontaudit_search_user_home_dirs(systemprocess)
+userdom_dontaudit_rw_stream(systemprocess)
+userdom_dontaudit_write_user_tmp_files(systemprocess)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_ttys(systemprocess)
+ term_use_all_ptys(systemprocess)
+',`
+ term_dontaudit_use_all_ttys(systemprocess)
+ term_dontaudit_use_all_ptys(systemprocess)
+')
+
+# these apps are often redirect output to random log files
+logging_inherit_append_all_logs(systemprocess)
+
+optional_policy(`
+ abrt_stream_connect(systemprocess)
+')
+
+optional_policy(`
+ cron_rw_pipes(systemprocess)
+')
+
+optional_policy(`
+ puppet_rw_tmp(systemprocess)
+')
+
+optional_policy(`
+ xserver_dontaudit_append_xdm_home_files(systemprocess)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(systemprocess)
+ unconfined_dontaudit_rw_stream(systemprocess)
+ userdom_dontaudit_read_user_tmp_files(systemprocess)
+')
+
+init_rw_script_stream_sockets(systemprocess)
+
+role system_r types systemprocess;
+role system_r types daemon;
+
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
+
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index fb09b9e..e25c6b6 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -12,12 +12,12 @@
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -27,10 +27,10 @@
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..9d66bf7 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
## </summary>
## </param>
#
-#
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
## </summary>
## </param>
#
-#
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
## </summary>
## </param>
#
-#
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
+ allow $1 self:peer recv;
')
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 55a6cd8..fa17b89 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
+allow ipsec_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -128,13 +130,13 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
-corenet_tcp_sendrecv_all_if(ipsec_t)
-corenet_raw_sendrecv_all_if(ipsec_t)
-corenet_tcp_sendrecv_all_nodes(ipsec_t)
-corenet_raw_sendrecv_all_nodes(ipsec_t)
+corenet_tcp_sendrecv_generic_if(ipsec_t)
+corenet_raw_sendrecv_generic_if(ipsec_t)
+corenet_tcp_sendrecv_generic_node(ipsec_t)
+corenet_raw_sendrecv_generic_node(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
-corenet_tcp_bind_all_nodes(ipsec_t)
-corenet_udp_bind_all_nodes(ipsec_t)
+corenet_tcp_bind_generic_node(ipsec_t)
+corenet_udp_bind_generic_node(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
@@ -156,6 +158,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
+selinux_compute_access_vector(ipsec_t)
+
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
@@ -169,6 +173,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
+sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
@@ -245,6 +251,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
+# don't audit using of lsof
+dontaudit ipsec_mgmt_t self:capability sys_ptrace;
+
+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
+
+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
+
+files_dontaudit_getattr_all_files(ipsec_mgmt_t)
+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -277,9 +294,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_inherited_terms(ipsec_mgmt_t)
auth_dontaudit_read_login_records(ipsec_mgmt_t)
+auth_use_nsswitch(ipsec_mgmt_t)
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -297,7 +315,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
-userdom_use_user_terminals(ipsec_mgmt_t)
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -324,10 +342,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-optional_policy(`
- nscd_socket_use(ipsec_mgmt_t)
-')
-
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
@@ -377,12 +391,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
-corenet_tcp_sendrecv_all_if(racoon_t)
-corenet_udp_sendrecv_all_if(racoon_t)
-corenet_tcp_sendrecv_all_nodes(racoon_t)
-corenet_udp_sendrecv_all_nodes(racoon_t)
-corenet_tcp_bind_all_nodes(racoon_t)
-corenet_udp_bind_all_nodes(racoon_t)
+corenet_tcp_sendrecv_generic_if(racoon_t)
+corenet_udp_sendrecv_generic_if(racoon_t)
+corenet_tcp_sendrecv_generic_node(racoon_t)
+corenet_udp_sendrecv_generic_node(racoon_t)
+corenet_tcp_bind_generic_node(racoon_t)
+corenet_udp_bind_generic_node(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -411,6 +425,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
+auth_use_pam(racoon_t)
+
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -448,5 +464,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
-userdom_use_user_terminals(setkey_t)
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 05fb364..c054118 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
+/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -12,8 +12,4 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 7ba53db..227887f 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, iptables_exec_t, iptables_t)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit iptables_t $1:socket_class_set { read write };
- ')
')
########################################
@@ -92,6 +88,30 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
+########################################
+## <summary>
+## Execute iptables server in the iptables domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iptables_systemctl',`
+ gen_require(`
+ type iptables_unit_file_t;
+ type iptables_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 iptables_unit_file_t:file read_file_perms;
+ allow $1 iptables_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, iptables_t)
+')
+
#####################################
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index f3e1b57..d7fd7fb 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,15 +13,15 @@ role system_r types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
-type iptables_conf_t;
-files_config_file(iptables_conf_t)
-
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
+type iptables_unit_file_t;
+systemd_unit_file(iptables_unit_file_t)
+
########################################
#
# Iptables local policy
@@ -34,8 +34,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
-files_etc_filetrans(iptables_t, iptables_conf_t, file)
+files_manage_system_conf_files(iptables_t)
+files_etc_filetrans_system_conf(iptables_t)
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
@@ -46,6 +46,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@@ -61,6 +62,9 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_write_mtrr(iptables_t)
+')
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
@@ -69,11 +73,13 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
+term_use_all_inherited_terms(iptables_t)
domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
-files_read_etc_runtime_files(iptables_t)
+files_rw_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
auth_use_nsswitch(iptables_t)
@@ -82,6 +88,7 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
+init_dontaudit_script_leaks(iptables_t)
logging_send_syslog_msg(iptables_t)
@@ -90,7 +97,7 @@ miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
-userdom_use_user_terminals(iptables_t)
+userdom_use_inherited_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
@@ -99,6 +106,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
+ fail2ban_rw_inherited_tmp_files(iptables_t)
')
optional_policy(`
@@ -121,6 +130,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
+ psad_write_log(iptables_t)
')
optional_policy(`
@@ -134,6 +144,7 @@ optional_policy(`
optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
shorewall_read_config(iptables_t)
')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index ddbd8be..ac8e814 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -66,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
+kernel_setsched(iscsid_t)
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
@@ -78,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
+dev_read_raw_memory(iscsid_t)
+dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 560dc48..6673319 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
#
/lib -d gen_context(system_u:object_r:lib_t,s0)
/lib/.* gen_context(system_u:object_r:lib_t,s0)
-/lib64 -d gen_context(system_u:object_r:lib_t,s0)
-/lib64/.* gen_context(system_u:object_r:lib_t,s0)
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_debian',`
/lib32 -l gen_context(system_u:object_r:lib_t,s0)
-/lib64 -l gen_context(system_u:object_r:lib_t,s0)
')
ifdef(`distro_gentoo',`
@@ -62,7 +57,6 @@ ifdef(`distro_gentoo',`
#
/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -119,64 +113,62 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_debian',`
/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0)
+/lib -l gen_context(system_u:object_r:lib_t,s0)
')
ifdef(`distro_gentoo',`
@@ -195,7 +187,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libffmpegsumo\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
-/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
') dnl end distro_redhat
#
@@ -312,17 +303,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
-/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`fixed',`
+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..ed84884 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
allow $1 lib_t:dir search_dir_perms;
')
+########################################
+## <summary>
+## dontaudit attempts to setattr on library files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`libs_dontaudit_setattr_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ dontaudit $1 lib_t:file setattr;
+')
########################################
## <summary>
@@ -253,24 +270,6 @@ interface(`libs_manage_lib_dirs',`
########################################
## <summary>
-## dontaudit attempts to setattr on library files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`libs_dontaudit_setattr_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- dontaudit $1 lib_t:file setattr;
-')
-
-########################################
-## <summary>
## Read files in the library directories, such
## as static libraries.
## </summary>
@@ -421,7 +420,7 @@ interface(`libs_manage_shared_libs',`
type lib_t, textrel_shlib_t;
')
- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
')
########################################
@@ -440,9 +439,9 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
- allow $1 lib_t:dir list_dir_perms;
- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
@@ -483,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
')
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index e5836d3..eae9427 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
@@ -79,6 +79,7 @@ corecmd_search_bin(ldconfig_t)
domain_use_interactive_fds(ldconfig_t)
+files_search_home(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
@@ -94,7 +95,8 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
-userdom_use_user_terminals(ldconfig_t)
+term_use_console(ldconfig_t)
+userdom_use_inherited_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
@@ -103,6 +105,12 @@ ifdef(`distro_ubuntu',`
')
')
+userdom_dontaudit_list_admin_dir(ldconfig_t)
+userdom_list_user_home_dirs(ldconfig_t)
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
+
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
')
')
+ dev_dontaudit_rw_lvm_control(ldconfig_t)
+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
+
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
@@ -131,6 +142,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_append_generic_cache_files(ldconfig_t)
+')
+
+optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
@@ -141,6 +156,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
-optional_policy(`
- unconfined_domain(ldconfig_t)
-')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index a0b379d..b823395 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
# Local login local policy
#
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -73,6 +72,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
+dev_rw_generic_usb_dev(local_login_t)
+dev_read_video_dev(local_login_t)
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
@@ -123,8 +124,10 @@ auth_rw_faillog(local_login_t)
auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
+auth_use_nsswitch(local_login_t)
init_dontaudit_use_fds(local_login_t)
+init_stream_connect(local_login_t)
miscfiles_read_localization(local_login_t)
@@ -156,6 +159,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
+tunable_policy(`allow_console_login',`
+ term_use_console(local_login_t)
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
+')
+
optional_policy(`
alsa_domtrans(local_login_t)
')
@@ -177,14 +186,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(local_login_t)
-')
-
-optional_policy(`
- nscd_socket_use(local_login_t)
-')
-
-optional_policy(`
unconfined_shell_domtrans(local_login_t)
')
@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
+kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
@@ -223,13 +225,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
+files_search_pids(sulogin_t)
auth_read_shadow(sulogin_t)
+auth_use_nsswitch(sulogin_t)
init_getpgid_script(sulogin_t)
logging_send_syslog_msg(sulogin_t)
+miscfiles_read_localization(sulogin_t)
+
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
@@ -238,14 +244,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
-sysadm_shell_domtrans(sulogin_t)
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+term_use_generic_ptys(sulogin_t)
+
+ifdef(`enable_mls',`
+ sysadm_shell_domtrans(sulogin_t)
+',`
+ optional_policy(`
+ unconfined_shell_domtrans(sulogin_t)
+ ')
+')
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
+allow sulogin_t self:capability sys_tty_config;
ifdef(`sulogin_no_pam', `
- allow sulogin_t self:capability sys_tty_config;
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
-
-optional_policy(`
- nis_use_ypbind(sulogin_t)
-')
-
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 02f4c97..cd16709 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -38,7 +45,7 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
-/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
@@ -73,4 +80,8 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 831b909..efe1038 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -491,6 +491,63 @@ interface(`logging_log_filetrans',`
filetrans_pattern($1, var_log_t, $2, $3)
')
+#######################################
+## <summary>
+## Create an object in the log directory, with a private type.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to create an object
+## in the general system log directories (e.g., /var/log)
+## with a private type. Typically this is used for creating
+## private log files in /var/log with the private type instead
+## of the general system log type. To accomplish this goal,
+## either the program must be SELinux-aware, or use this interface.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>logging_log_file()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create
+## and append to a private log file stored in the
+## general directories (e.g., /var/log):
+## </p>
+## <p>
+## type mylogfile_t;
+## logging_log_file(mylogfile_t)
+## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+## logging_log_filetrans(mydomain_t, mylogfile_t, file)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`logging_log_named_filetrans',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ filetrans_pattern($1, var_log_t, $2, $3, $4)
+')
+
########################################
## <summary>
## Send system log messages.
@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_create_devlog_dev',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+')
+
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_stream_connect_syslog',`
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
- append_files_pattern($1, var_log_t, logfile)
+ append_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append ioctl lock };
')
########################################
@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
- read_lnk_files_pattern($1, logfile, logfile)
+ manage_lnk_files_pattern($1, logfile, logfile)
')
########################################
@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
+## Link generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_link_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ allow $1 var_log_t:file link;
+')
+
+########################################
+## <summary>
+## Delete generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_delete_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ allow $1 var_log_t:file unlink;
+')
+
+########################################
+## <summary>
## Write generic log files.
## </summary>
## <param name="domain">
@@ -990,6 +1141,7 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
+ allow $1 self:capability2 syslog;
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
@@ -1015,6 +1167,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
+ allow $1 logfile:dir relabel_dir_perms;
+ allow $1 logfile:file relabel_file_perms;
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b6ec597..5684c8a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
# Declarations
#
+## <desc>
+## <p>
+## Allow syslogd daemon to send mail
+## </p>
+## </desc>
+gen_tunable(logging_syslogd_can_sendmail, false)
+
attribute logfile;
type auditctl_t;
@@ -20,6 +27,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
+files_spool_file(audit_spool_t)
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
+mls_trusted_object(syslogd_t)
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
-term_use_all_terms(auditctl_t)
+term_use_all_inherited_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
+auth_use_nsswitch(auditd_t)
+
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+mls_socket_write_all_levels(auditd_t)
seutil_dontaudit_read_config(auditd_t)
sysnet_dns_name_resolve(auditd_t)
-userdom_use_user_terminals(auditd_t)
+userdom_use_inherited_user_terminals(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
+fs_getattr_all_fs(audisp_t)
+
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
+mls_file_read_all_levels(audisp_t)
mls_file_write_all_levels(audisp_t)
+mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
logging_send_syslog_msg(audisp_t)
@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(audisp_t)
+ ')
')
########################################
@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
+mls_socket_write_all_levels(audisp_remote_t)
+
logging_send_syslog_msg(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)
+auth_use_nsswitch(audisp_remote_t)
+auth_append_login_records(audisp_remote_t)
+
miscfiles_read_localization(audisp_remote_t)
+init_telinit(audisp_remote_t)
+init_read_utmp(audisp_remote_t)
+init_dontaudit_write_utmp(audisp_remote_t)
+
sysnet_dns_name_resolve(audisp_remote_t)
########################################
@@ -354,11 +386,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog
# setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit };
+allow syslogd_t self:process { signal_perms getcap setcap setpgid setsched setrlimit };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
+
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
+tunable_policy(`logging_syslogd_can_sendmail',`
+ # support for ommail module to send logs via mail
+ corenet_tcp_connect_smtp_port(syslogd_t)
+')
+
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
+# relating to systemd-kmsg-syslogd
+dev_write_kmsg(syslogd_t)
+domain_read_all_domains_state(syslogd_t)
domain_use_interactive_fds(syslogd_t)
+domain_read_all_domains_state(syslogd_t)
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
+init_stream_connect(syslogd_t)
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
+logging_manage_all_logs(syslogd_t)
miscfiles_read_localization(syslogd_t)
@@ -496,11 +548,20 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_manage_log(syslogd_t)
+')
+
+optional_policy(`
postgresql_stream_connect(syslogd_t)
')
optional_policy(`
seutil_sigchld_newrole(syslogd_t)
+ snmp_read_snmp_var_lib_files(syslogd_t)
+')
+
+optional_policy(`
+ daemontools_search_svc_dir(syslogd_t)
')
optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 879bb1e..7b22111 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
#
+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -97,5 +101,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..51e9872 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
+
+########################################
+## <summary>
+## Read and write to lvm temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_clvmd_tmpfs_files',`
+ gen_require(`
+ type clvmd_tmpfs_t;
+ ')
+
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Delete lvm temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_delete_clvmd_tmpfs_files',`
+ gen_require(`
+ type clvmd_tmpfs_t;
+ ')
+
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
+
+########################################
+## <summary>
+## Send lvm a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a message to lvm over the
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_dgram_send',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_pipes',`
+ gen_require(`
+ type lvm_var_run_t;
+ ')
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a0a0ebf..e55e967 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
type clvmd_initrc_exec_t;
init_script_file(clvmd_initrc_exec_t)
+type clvmd_tmpfs_t alias clmvd_tmpfs_t;
+files_tmpfs_file(clvmd_tmpfs_t)
+
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t)
role system_r types lvm_t;
type lvm_etc_t;
-files_type(lvm_etc_t)
+files_config_file(lvm_etc_t)
type lvm_lock_t;
files_lock_file(lvm_lock_t)
@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
+manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
+
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ aisexec_stream_connect(clvmd_t)
+ corosync_stream_connect(clvmd_t)
+')
+
+optional_policy(`
ccs_stream_connect(clvmd_t)
')
@@ -167,9 +179,10 @@ optional_policy(`
# net_admin for multipath
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
dontaudit lvm_t self:capability sys_tty_config;
-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
+allow lvm_t self:sem create_sem_perms;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
@@ -191,8 +204,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
-files_lock_filetrans(lvm_t, lvm_lock_t, file)
+files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
@@ -200,8 +214,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@@ -213,11 +228,13 @@ files_search_mnt(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctls(lvm_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+kernel_request_load_module(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -228,6 +245,7 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
+dev_write_kmsg(lvm_t)
dev_manage_generic_symlinks(lvm_t)
dev_relabel_generic_dev_dirs(lvm_t)
dev_manage_generic_blk_files(lvm_t)
@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
+files_dontaudit_getattr_tmpfs_files(lvm_t)
-fs_getattr_xattr_fs(lvm_t)
+fs_getattr_all_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t)
fs_dontaudit_getattr_tmpfs_files(lvm_t)
fs_rw_anon_inodefs_files(lvm_t)
+fs_list_auto_mountpoints(lvm_t)
+fs_list_hugetlbfs(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
+mls_file_upgrade(lvm_t)
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
-term_use_all_terms(lvm_t)
+term_use_all_inherited_terms(lvm_t)
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
@@ -292,6 +315,8 @@ init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
+authlogin_rw_pipes(lvm_t)
+
miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
+userdom_use_inherited_user_terminals(lvm_t)
userdom_use_user_terminals(lvm_t)
+userdom_rw_semaphores(lvm_t)
+userdom_search_user_home_dirs(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
@@ -311,6 +339,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ aisexec_stream_connect(lvm_t)
+ corosync_stream_connect(lvm_t)
+')
+
+optional_policy(`
bootloader_rw_tmp_files(lvm_t)
')
@@ -331,14 +364,26 @@ optional_policy(`
')
optional_policy(`
+ livecd_rw_semaphores(lvm_t)
+')
+
+optional_policy(`
modutils_domtrans_insmod(lvm_t)
')
optional_policy(`
+ raid_read_mdadm_pid(lvm_t)
+')
+
+optional_policy(`
rpm_manage_script_tmp_files(lvm_t)
')
optional_policy(`
+ systemd_passwd_agent_dev_template(lvm)
+')
+
+optional_policy(`
udev_read_db(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 172287e..ec1f0e8 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,7 +9,7 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
@@ -34,7 +34,7 @@ ifdef(`distro_redhat',`
#
/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
-/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..13762b6 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
########################################
## <summary>
+## Allow process to relabel man_pages info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+ relabel_dirs_pattern($1, man_t, man_t)
+ relabel_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
## Read public files used for file
## transfer services.
## </summary>
@@ -745,7 +765,24 @@ interface(`miscfiles_etc_filetrans_localization',`
')
files_etc_filetrans($1, locale_t, file)
+')
+
+########################################
+## <summary>
+## Execute test files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_filetrans_named_content',`
+ gen_require(`
+ type man_t;
+ ')
+ files_var_filetrans($1, man_t, dir, "man")
')
########################################
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 703944c..1d3a6a9 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.9.0)
#
# Declarations
#
-
attribute cert_type;
#
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 532181a..2410551 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -10,10 +10,8 @@ ifdef(`distro_gentoo',`
')
/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..5d93844 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
#
interface(`modutils_getattr_module_deps',`
gen_require(`
- type modules_dep_t;
+ type modules_dep_t, modules_object_t;
')
getattr_files_pattern($1, modules_object_t, modules_dep_t)
@@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
+## list the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_list_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
@@ -152,13 +172,7 @@ interface(`modutils_domtrans_insmod_uncond',`
## </param>
#
interface(`modutils_domtrans_insmod',`
- gen_require(`
- bool secure_mode_insmod;
- ')
-
- if (!secure_mode_insmod) {
- modutils_domtrans_insmod_uncond($1)
- }
+ modutils_domtrans_insmod_uncond($1)
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a0eef20..406f160 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,9 +1,5 @@
policy_module(modutils, 1.10.1)
-gen_require(`
- bool secure_mode_insmod;
-')
-
########################################
#
# Declarations
@@ -18,11 +14,12 @@ type insmod_t;
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
role system_r types insmod_t;
# module loading config
type modules_conf_t;
-files_type(modules_conf_t)
+files_config_file(modules_conf_t)
# module dependencies
type modules_dep_t;
@@ -36,6 +33,9 @@ role system_r types update_modules_t;
type update_modules_tmp_t;
files_tmp_file(update_modules_tmp_t)
+type insmod_tmpfs_t;
+files_tmpfs_file(insmod_tmpfs_t)
+
########################################
#
# depmod local policy
@@ -55,12 +55,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
+files_delete_kernel_modules(depmod_t)
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
files_read_etc_runtime_files(depmod_t)
files_read_etc_files(depmod_t)
files_read_usr_src_files(depmod_t)
files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
+files_read_boot_files(depmod_t)
fs_getattr_xattr_fs(depmod_t)
@@ -70,10 +73,11 @@ init_use_fds(depmod_t)
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
-userdom_use_user_terminals(depmod_t)
+userdom_use_inherited_user_terminals(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
+userdom_manage_user_tmp_files(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -95,7 +99,6 @@ optional_policy(`
')
optional_policy(`
- # Read System.map from home directories.
unconfined_domain(depmod_t)
')
@@ -104,11 +107,12 @@ optional_policy(`
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:rawip_socket create_socket_perms;
+allow insmod_t self:shm create_shm_perms;
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
@@ -118,6 +122,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
+
kernel_load_module(insmod_t)
kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
@@ -126,6 +133,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
+kernel_request_load_module(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
@@ -143,6 +151,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
+dev_create_generic_chr_files(insmod_t)
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
@@ -161,11 +170,18 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_mount_rpc_pipefs(insmod_t)
+fs_search_rpc(insmod_t)
+
+auth_use_nsswitch(insmod_t)
init_rw_initctl(insmod_t)
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
+init_rw_script_tmp_files(insmod_t)
+init_dontaudit_getattr_stream_socket(insmod_t)
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
@@ -174,41 +190,38 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
-userdom_use_user_terminals(insmod_t)
-
+term_use_all_inherited_terms(insmod_t)
userdom_dontaudit_search_user_home_dirs(insmod_t)
-if( ! secure_mode_insmod ) {
- kernel_domtrans_to(insmod_t, insmod_exec_t)
-}
+kernel_domtrans_to(insmod_t, insmod_exec_t)
optional_policy(`
alsa_domtrans(insmod_t)
')
optional_policy(`
- firstboot_dontaudit_rw_pipes(insmod_t)
- firstboot_dontaudit_rw_stream_sockets(insmod_t)
+ devicekit_use_fds_disk(insmod_t)
+ devicekit_dontaudit_read_pid_files(insmod_t)
')
optional_policy(`
- hal_write_log(insmod_t)
+ firstboot_dontaudit_leaks(insmod_t)
')
optional_policy(`
- hotplug_search_config(insmod_t)
+ firewallgui_dontaudit_rw_pipes(insmod_t)
')
optional_policy(`
- mount_domtrans(insmod_t)
+ hal_write_log(insmod_t)
')
optional_policy(`
- nis_use_ypbind(insmod_t)
+ hotplug_search_config(insmod_t)
')
optional_policy(`
- nscd_socket_use(insmod_t)
+ mount_domtrans(insmod_t)
')
optional_policy(`
@@ -236,6 +249,10 @@ optional_policy(`
')
optional_policy(`
+ virt_dontaudit_write_pipes(insmod_t)
+')
+
+optional_policy(`
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
@@ -296,7 +313,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
-userdom_use_user_terminals(update_modules_t)
+userdom_use_inherited_user_terminals(update_modules_t)
userdom_dontaudit_search_user_home_dirs(update_modules_t)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e..704d2d7 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,4 +1,16 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8b5c196..da41726 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
')
domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
+
+ allow $1 mount_t:fd use;
+ ps_process_pattern(mount_t, $1)
+
+ allow mount_t $1:unix_stream_socket { read write };
')
########################################
@@ -45,12 +51,77 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
- samba_run_smbmount($1, $2)
+ fstools_run(mount_t, $2)
+ ')
+
+ # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+ optional_policy(`
+ lvm_run(mount_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(mount_t, $2)
+ ')
+
+ optional_policy(`
+ rpc_run_rpcd(mount_t, $2)
+ ')
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
')
')
########################################
## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mount domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
+')
+
+########################################
+## <summary>
+## Read mount PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_read_pid_files',`
+ gen_require(`
+ type mount_var_run_t;
+ ')
+
+ allow $1 mount_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Execute mount in the caller domain.
## </summary>
## <param name="domain">
@@ -95,7 +166,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -135,45 +206,119 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
-## Execute mount in the unconfined mount domain.
+## Read the mount tmp directory
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`mount_domtrans_unconfined',`
+interface(`mount_list_tmp',`
gen_require(`
- type unconfined_mount_t, mount_exec_t;
+ type mount_tmp_t;
')
- domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+ allow $1 mount_tmp_t:dir list_dir_perms;
')
########################################
## <summary>
-## Execute mount in the unconfined mount domain, and
-## allow the specified role the unconfined mount domain,
-## and use the caller's terminal.
+## Execute fusermount in the mount domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`mount_domtrans_fusermount',`
+ gen_require(`
+ type mount_t, fusermount_exec_t;
+ ')
+
+ domtrans_pattern($1, fusermount_exec_t, mount_t)
+ ps_process_pattern(mount_t, $1)
+
+ allow mount_t $1:unix_stream_socket { read write };
+ allow $1 mount_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute fusermount.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_exec_fusermount',`
+ gen_require(`
+ type fusermount_exec_t;
+ ')
+
+ can_exec($1, fusermount_exec_t)
+')
+
+########################################
+## <summary>
+## dontaudit Execute fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`mount_run_unconfined',`
+interface(`mount_dontaudit_exec_fusermount',`
gen_require(`
- type unconfined_mount_t;
+ type fusermount_exec_t;
')
- mount_domtrans_unconfined($1)
- role $2 types unconfined_mount_t;
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run showmount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_showmount',`
+ gen_require(`
+ type showmount_t, showmount_exec_t;
+ ')
+
+ domtrans_pattern($1, showmount_exec_t, showmount_t)
+')
+
+######################################
+## <summary>
+## Execute showmount in the showmount domain, and
+## allow the specified role the showmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the showmount domain.
+## </summary>
+## </param>
+#
+interface(`mount_run_showmount',`
+ gen_require(`
+ type showmount_t;
+ ')
+
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 15832c7..2e0bdd4 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
+type fusermount_exec_t;
+domain_entry_file(mount_t, fusermount_exec_t)
+
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
+typealias mount_loopback_t alias mount_loop_t;
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-# causes problems with interfaces when
-# this is optionally declared in monolithic
-# policy--duplicate type declaration
-type unconfined_mount_t;
-application_domain(unconfined_mount_t, mount_exec_t)
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+dev_associate(mount_var_run_t)
+
+# showmount - show mount information for an NFS server
+
+type showmount_t;
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
########################################
#
@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
allow mount_t mount_loopback_t:file read_file_perms;
@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+dev_filetrans(mount_t, mount_var_run_t, dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
+kernel_mount_unlabeled(mount_t)
+kernel_unmount_unlabeled(mount_t)
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
+dev_getattr_generic_blk_files(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
dev_read_sysfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
+
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
+')
+
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
files_search_all(mount_t)
files_read_etc_files(mount_t)
+files_read_etc_runtime_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
+# for when /etc/mtab loses its type
+files_delete_etc_files(mount_t)
files_mounton_all_mountpoints(mount_t)
+files_setattr_all_mountpoints(mount_t)
+# ntfs-3g checks whether the mountpoint is writable before mounting
+files_write_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
+
# These rules need to be generalized. Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
+files_write_all_dirs(mount_t)
files_dontaudit_write_root_dirs(mount_t)
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
+fs_list_all(mount_t)
+fs_getattr_all_fs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
+fs_rw_anon_inodefs_files(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
+fs_rw_nfsd_fs(mount_t)
+fs_rw_removable_blk_files(mount_t)
+#fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
+fs_read_nfs_symlinks(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
fs_dontaudit_write_tmpfs_dirs(mount_t)
-mls_file_read_all_levels(mount_t)
-mls_file_write_all_levels(mount_t)
+mls_file_read_to_clearance(mount_t)
+mls_file_write_to_clearance(mount_t)
+mls_process_write_to_clearance(mount_t)
selinux_get_enforce_mode(mount_t)
+selinux_mounton_fs(mount_t)
storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
-term_use_all_terms(mount_t)
+term_use_all_inherited_terms(mount_t)
auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
logging_send_syslog_msg(mount_t)
@@ -126,6 +185,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
+
+optional_policy(`
+ abrt_rw_fifo_file(mount_t)
+')
ifdef(`distro_redhat',`
optional_policy(`
@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
')
')
+corecmd_exec_shell(mount_t)
+
tunable_policy(`allow_mount_anyfile',`
- auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
+ files_read_non_security_files(mount_t)
files_mounton_non_security(mount_t)
+ files_rw_all_inherited_files(mount_t)
')
optional_policy(`
# for nfs
corenet_all_recvfrom_unlabeled(mount_t)
corenet_all_recvfrom_netlabel(mount_t)
- corenet_tcp_sendrecv_all_if(mount_t)
- corenet_raw_sendrecv_all_if(mount_t)
- corenet_udp_sendrecv_all_if(mount_t)
- corenet_tcp_sendrecv_all_nodes(mount_t)
- corenet_raw_sendrecv_all_nodes(mount_t)
- corenet_udp_sendrecv_all_nodes(mount_t)
+ corenet_tcp_sendrecv_generic_if(mount_t)
+ corenet_raw_sendrecv_generic_if(mount_t)
+ corenet_udp_sendrecv_generic_if(mount_t)
+ corenet_tcp_sendrecv_generic_node(mount_t)
+ corenet_raw_sendrecv_generic_node(mount_t)
+ corenet_udp_sendrecv_generic_node(mount_t)
corenet_tcp_sendrecv_all_ports(mount_t)
corenet_udp_sendrecv_all_ports(mount_t)
- corenet_tcp_bind_all_nodes(mount_t)
- corenet_udp_bind_all_nodes(mount_t)
+ corenet_tcp_bind_generic_node(mount_t)
+ corenet_udp_bind_generic_node(mount_t)
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
@@ -174,6 +241,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
+
+ rpc_domtrans_rpcd(mount_t)
')
optional_policy(`
@@ -181,6 +250,28 @@ optional_policy(`
')
optional_policy(`
+ cron_system_entry(mount_t, mount_exec_t)
+')
+
+optional_policy(`
+ devicekit_read_state_power(mount_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
+ hal_dbus_chat(mount_t)
+ ')
+')
+
+optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_dontaudit_rw_pipes(mount_t)
+')
+
+optional_policy(`
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -188,21 +279,83 @@ optional_policy(`
')
')
+optional_policy(`
+ livecd_rw_tmp_files(mount_t)
+')
+
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+ lvm_domtrans(mount_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(mount_t)
+')
+
+optional_policy(`
+ fstools_domtrans(mount_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_gfs_controld(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
+ rpm_dontaudit_leaks(mount_t)
')
optional_policy(`
samba_domtrans_smbmount(mount_t)
+ samba_read_config(mount_t)
')
-########################################
-#
-# Unconfined mount local policy
-#
+optional_policy(`
+ ssh_exec(mount_t)
+')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+ usbmuxd_stream_connect(mount_t)
')
+
+optional_policy(`
+ virt_read_blk_images(mount_t)
+')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
+')
+
+######################################
+#
+# showmount local policy
+#
+
+allow showmount_t self:tcp_socket create_stream_socket_perms;
+allow showmount_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(showmount_t)
+
+corenet_all_recvfrom_unlabeled(showmount_t)
+corenet_all_recvfrom_netlabel(showmount_t)
+corenet_tcp_sendrecv_generic_if(showmount_t)
+corenet_udp_sendrecv_generic_if(showmount_t)
+corenet_tcp_sendrecv_generic_node(showmount_t)
+corenet_udp_sendrecv_generic_node(showmount_t)
+corenet_tcp_sendrecv_all_ports(showmount_t)
+corenet_udp_sendrecv_all_ports(showmount_t)
+corenet_tcp_bind_generic_node(showmount_t)
+corenet_udp_bind_generic_node(showmount_t)
+corenet_tcp_bind_all_rpc_ports(showmount_t)
+corenet_udp_bind_all_rpc_ports(showmount_t)
+corenet_tcp_connect_all_ports(showmount_t)
+
+files_read_etc_files(showmount_t)
+files_read_etc_runtime_files(showmount_t)
+
+miscfiles_read_localization(showmount_t)
+
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_inherited_user_terminals(showmount_t)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index cbbda4a..8dcc346 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
files_read_etc_files(netlabel_mgmt_t)
+term_use_all_inherited_terms(netlabel_mgmt_t)
+
seutil_use_newrole_fds(netlabel_mgmt_t)
-userdom_use_user_terminals(netlabel_mgmt_t)
+term_use_all_terms(netlabel_mgmt_t)
+
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 4d06ae3..e81b7ac 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -62,9 +62,8 @@ dev_read_urand(cardmgr_t)
domain_use_interactive_fds(cardmgr_t)
# Read /proc/PID directories for all domains (for fuser).
-domain_read_confined_domains_state(cardmgr_t)
-domain_getattr_confined_domains(cardmgr_t)
-domain_dontaudit_ptrace_confined_domains(cardmgr_t)
+domain_read_all_domains_state(cardmgr_t)
+domain_dontaudit_ptrace_all_domains(cardmgr_t)
# cjp: these look excessive:
domain_dontaudit_getattr_all_pipes(cardmgr_t)
domain_dontaudit_getattr_all_sockets(cardmgr_t)
@@ -98,18 +97,20 @@ logging_send_syslog_msg(cardmgr_t)
miscfiles_read_localization(cardmgr_t)
-modutils_domtrans_insmod(cardmgr_t)
-
sysnet_domtrans_ifconfig(cardmgr_t)
# for /etc/resolv.conf
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
-userdom_use_user_terminals(cardmgr_t)
+userdom_use_inherited_user_terminals(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_user_home_dirs(cardmgr_t)
optional_policy(`
+ modutils_domtrans_insmod(cardmgr_t)
+')
+
+optional_policy(`
seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
index ed9c70d..7a6f23a 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
@@ -1,6 +1,13 @@
-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+#669402
+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+
+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index b1a85b5..db0d815 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',`
########################################
## <summary>
+## read the mdadm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete the mdadm pid files.
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index a19ecea..99c4da1 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
init_daemon_domain(mdadm_t, mdadm_exec_t)
role system_r types mdadm_t;
-type mdadm_map_t;
-files_type(mdadm_map_t)
-
-type mdadm_var_run_t;
+type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
+dev_associate(mdadm_var_run_t)
########################################
#
@@ -23,18 +21,19 @@ files_pid_file(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-# create .mdadm files in /dev
-allow mdadm_t mdadm_map_t:file manage_file_perms;
-dev_filetrans(mdadm_t, mdadm_map_t, file)
-
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
+kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
@@ -52,13 +51,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
-fs_search_auto_mountpoints(mdadm_t)
+fs_list_hugetlbfs(mdadm_t)
+fs_list_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
@@ -68,6 +70,7 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
+storage_write_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
@@ -84,6 +87,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
+ cron_system_entry(mdadm_t, mdadm_exec_t)
+')
+
+optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..167c358 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
#
# /root
@@ -32,17 +32,26 @@
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
-/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+#
+# /var/lib
+#
+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0)
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..b85fc73 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
role $2 types newrole_t;
auth_run_upd_passwd(newrole_t, $2)
+
+ optional_policy(`
+ namespace_init_run(newrole_t, $2)
+ ')
')
########################################
@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
########################################
## <summary>
+## Execute restorecond in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecond',`
+ gen_require(`
+ type restorecond_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, restorecond_exec_t)
+')
+
+########################################
+## <summary>
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
@@ -545,6 +570,53 @@ interface(`seutil_run_setfiles',`
########################################
## <summary>
+## Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles_mac',`
+ gen_require(`
+ type setfiles_mac_t, setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles_mac domain, and
+## allow the specified role the setfiles_mac domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setfiles_mac domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setfiles_mac',`
+ gen_require(`
+ type setfiles_mac_t;
+ ')
+
+ seutil_domtrans_setfiles_mac($1)
+ role $2 types setfiles_mac_t;
+')
+
+########################################
+## <summary>
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
@@ -690,6 +762,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
@@ -756,6 +829,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
+#######################################
+## <summary>
+## Read and write the default_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_rw_default_contexts',`
+ gen_require(`
+ type default_context_t;
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir list_dir_perms;
+ allow $1 default_context_t:dir list_dir_perms;
+ rw_files_pattern($1, default_context_t, default_context_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
@@ -1009,6 +1105,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
+ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+')
+
+########################################
+## <summary>
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
@@ -1038,6 +1154,54 @@ interface(`seutil_run_semanage',`
########################################
## <summary>
+## Execute setsebool in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setsebool domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setsebool',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_setsebool($1)
+ role $2 types setsebool_t;
+')
+
+########################################
+## <summary>
+## Full management of the semanage
+## module store.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+ gen_require(`
+ type selinux_config_t, semanage_store_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
## Full management of the semanage
## module store.
## </summary>
@@ -1149,3 +1313,198 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
+
+#######################################
+## <summary>
+## All rules necessary to run semanage command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_semanage_policy',`
+ gen_require(`
+ type semanage_tmp_t;
+ type policy_config_t;
+ ')
+ allow $1 self:capability { dac_override sys_resource };
+ dontaudit $1 self:capability sys_tty_config;
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
+ # Running genhomedircon requires this for finding all users
+ auth_use_nsswitch($1)
+
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
+ allow $1 semanage_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
+ fs_getattr_all_fs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
+
+ selinux_getattr_fs($1)
+ selinux_validate_context($1)
+ selinux_get_enforce_mode($1)
+
+ term_use_all_inherited_terms($1)
+
+ locallogin_use_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
+ seutil_use_newrole_fds($1)
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_user_home_content_files($1)
+')
+
+
+#######################################
+## <summary>
+## All rules necessary to run setfiles command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_setfiles',`
+
+ gen_require(`
+ type policy_src_t, policy_config_t;
+ type file_context_t, default_context_t;
+ ')
+
+ allow $1 self:capability { dac_override dac_read_search fowner };
+ dontaudit $1 self:capability sys_tty_config;
+ allow $1 self:fifo_file rw_file_perms;
+ dontaudit $1 self:dir relabelfrom;
+ dontaudit $1 self:file relabelfrom;
+ dontaudit $1 self:lnk_file relabelfrom;
+
+
+ allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+ allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+ allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+
+ logging_send_audit_msgs($1)
+
+ kernel_read_system_state($1)
+ kernel_relabelfrom_unlabeled_dirs($1)
+ kernel_relabelfrom_unlabeled_files($1)
+ kernel_relabelfrom_unlabeled_symlinks($1)
+ kernel_relabelfrom_unlabeled_pipes($1)
+ kernel_relabelfrom_unlabeled_sockets($1)
+ kernel_use_fds($1)
+ kernel_rw_pipes($1)
+ kernel_rw_unix_dgram_sockets($1)
+ kernel_dontaudit_list_all_proc($1)
+ kernel_read_all_sysctls($1)
+ kernel_read_network_state_symlinks($1)
+
+ dev_relabel_all_dev_nodes($1)
+
+ domain_use_interactive_fds($1)
+ domain_read_all_domains_state($1)
+
+ files_read_etc_runtime_files($1)
+ files_read_etc_files($1)
+ files_list_all($1)
+ files_relabel_all_files($1)
+ files_list_isid_type_dirs($1)
+ files_read_isid_type_files($1)
+ files_dontaudit_read_all_symlinks($1)
+
+ fs_getattr_xattr_fs($1)
+ fs_list_all($1)
+ fs_getattr_all_files($1)
+ fs_search_auto_mountpoints($1)
+ fs_relabelfrom_noxattr_fs($1)
+
+ mls_file_read_all_levels($1)
+ mls_file_write_all_levels($1)
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+
+ selinux_validate_context($1)
+ selinux_compute_access_vector($1)
+ selinux_compute_create_context($1)
+ selinux_compute_relabel_context($1)
+ selinux_compute_user_contexts($1)
+
+ term_use_all_inherited_terms($1)
+
+ # this is to satisfy the assertion:
+ auth_relabelto_shadow($1)
+
+ init_use_fds($1)
+ init_use_script_fds($1)
+ init_use_script_ptys($1)
+ init_exec_script_files($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_libselinux_linked($1)
+
+ userdom_use_all_users_fds($1)
+ # for config files in a home directory
+ userdom_read_user_home_content_files($1)
+
+ ifdef(`distro_debian',`
+ # udev tmpfs is populated with static device nodes
+ # and then relabeled afterwards; thus
+ # /dev/console has the tmpfs type
+ fs_rw_tmpfs_chr_files($1)
+ ')
+
+ ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files($1)
+ fs_rw_tmpfs_blk_files($1)
+ fs_relabel_tmpfs_blk_file($1)
+ fs_relabel_tmpfs_chr_file($1)
+ ')
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain($1)
+ ')
+ ')
+
+ optional_policy(`
+ hotplug_use_fds($1)
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 7ed9819..3ee9ea8 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
type selinux_config_t;
files_type(selinux_config_t)
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -57,8 +60,13 @@ domain_interactive_fd(newrole_t)
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
-type policy_config_t;
-files_type(policy_config_t)
+#type policy_config_t;
+#files_type(policy_config_t)
+gen_require(`
+ type semanage_store_t;
+')
+
+typealias semanage_store_t alias policy_config_t;
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -74,7 +82,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
@@ -88,26 +95,36 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
type semanage_store_t;
files_type(semanage_store_t)
type semanage_read_lock_t;
-files_type(semanage_read_lock_t)
+files_lock_file(semanage_read_lock_t)
type semanage_tmp_t;
files_tmp_file(semanage_tmp_t)
type semanage_trans_lock_t;
-files_type(semanage_trans_lock_t)
+files_lock_file(semanage_trans_lock_t)
type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
+type setfiles_mac_t;
+domain_type(setfiles_mac_t)
+domain_entry_file(setfiles_mac_t, setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_mac_t)
+
########################################
#
# Checkpolicy local policy
@@ -139,7 +156,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
-userdom_use_user_terminals(checkpolicy_t)
+userdom_use_inherited_user_terminals(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
@@ -176,13 +193,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
miscfiles_read_localization(load_policy_t)
seutil_libselinux_linked(load_policy_t)
-userdom_use_user_terminals(load_policy_t)
+userdom_use_inherited_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
+userdom_dontaudit_read_user_tmp_files(load_policy_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -204,7 +223,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
-allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@@ -216,7 +235,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(newrole_t)
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
@@ -233,6 +252,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
+files_list_var(newrole_t)
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
@@ -260,25 +280,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
-auth_use_nsswitch(newrole_t)
-auth_domtrans_chk_passwd(newrole_t)
-auth_domtrans_upd_passwd(newrole_t)
-auth_rw_faillog(newrole_t)
+auth_use_pam(newrole_t)
# Write to utmp.
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
-logging_send_syslog_msg(newrole_t)
-
miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
+userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
+# need to talk with dbus
+optional_policy(`
+ dbus_system_bus_client(newrole_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_exec_xauth(newrole_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
@@ -312,6 +337,10 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
+dev_relabel_all_dev_nodes(restorecond_t)
+
+files_dontaudit_read_all_symlinks(restorecond_t)
+
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
@@ -323,8 +352,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
-auth_relabel_all_files_except_shadow(restorecond_t )
-auth_read_all_files_except_shadow(restorecond_t)
+files_relabel_all_files(restorecond_t )
+files_read_non_security_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
@@ -335,6 +364,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
+userdom_read_user_home_content_symlinks(restorecond_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
@@ -353,16 +384,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(run_init_t)
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+kernel_dontaudit_getattr_core_if(run_init_t)
+
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
+dev_dontaudit_getattr_all(run_init_t)
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
@@ -380,6 +414,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
+term_use_console(run_init_t)
+
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
@@ -388,6 +424,7 @@ auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
+init_dontaudit_getattr_initctl(run_init_t)
logging_send_syslog_msg(run_init_t)
@@ -396,7 +433,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
-userdom_use_user_terminals(run_init_t)
+userdom_use_inherited_user_terminals(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
@@ -405,6 +442,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
+# need to talk with dbus
+optional_policy(`
+ dbus_system_bus_client(run_init_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(run_init_t)
+')
+
+optional_policy(`
+ rpm_domtrans(run_init_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
@@ -420,61 +470,22 @@ optional_policy(`
# semodule local policy
#
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
-allow semanage_t policy_config_t:file rw_file_perms;
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
selinux_set_all_booleans(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
@@ -482,6 +493,14 @@ seutil_manage_default_contexts(semanage_t)
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(semanage_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(semanage_t)
+')
+
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
@@ -493,112 +512,60 @@ ifdef(`distro_ubuntu',`
')
')
-########################################
+####################################n####
#
-# Setfiles local policy
+# setsebool local policy
#
+seutil_semanage_policy(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
-allow setfiles_t self:fifo_file rw_file_perms;
-
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
-kernel_use_fds(setfiles_t)
-kernel_rw_pipes(setfiles_t)
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
+########################################
+#
+# Setfiles local policy
+#
-miscfiles_read_localization(setfiles_t)
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
-seutil_libselinux_linked(setfiles_t)
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
+# needs to be able to read symlinks to make restorecon on symlink working
+files_read_all_symlinks(setfiles_t)
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
+optional_policy(`
+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
+ livecd_dontaudit_leaks(setfiles_mac_t)
+ livecd_rw_tmp_files(setfiles_mac_t)
+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
')
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
+optional_policy(`
+ devicekit_dontaudit_read_pid_files(setfiles_t)
+ devicekit_dontaudit_rw_log(setfiles_t)
')
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
+optional_policy(`
+ hal_dontaudit_leaks(setfiles_t)
')
ifdef(`hide_broken_symptoms',`
optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
-
- # cjp: cover up stray file descriptors.
- optional_policy(`
- unconfined_dontaudit_read_pipes(setfiles_t)
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
')
')
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..cdc0223 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -12,6 +12,7 @@ gen_require(`
type setrans_t;
type setrans_exec_t;
init_daemon_domain(setrans_t, setrans_exec_t)
+mls_trusted_object(setrans_t)
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 694fd94..334e80e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -10,10 +10,10 @@
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -64,3 +64,5 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index ff80d0a..be800df 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
')
+
+ optional_policy(`
+ networkmanager_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nis_run_ypbind(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nscd_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ ntp_run(dhcpc_t, $2)
+ ')
+
+ seutil_run_setfiles(dhcpc_t, $2)
')
########################################
@@ -269,6 +287,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
+########################################
+## <summary>
+## Allow caller to relabel dhcpc_state files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_dhcpc_state',`
+
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ allow $1 dhcpc_state_t:file relabelfrom;
+')
+
+#######################################
+## <summary>
+## Manage the dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
#######################################
## <summary>
## Set the attributes of network config files.
@@ -290,6 +345,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
+## Allow caller to relabel net_conf files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_net_conf',`
+
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:file relabelfrom;
+')
+
+######################################
+## <summary>
+## Allow caller to relabel net_conf files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelto_net_conf',`
+
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:file relabelto;
+')
+
+#######################################
+## <summary>
## Read network config files.
## </summary>
## <desc>
@@ -405,7 +498,7 @@ interface(`sysnet_etc_filetrans_config',`
type net_conf_t;
')
- files_etc_filetrans($1, net_conf_t, file)
+ files_etc_filetrans($1, net_conf_t, file, $2)
')
#######################################
@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
+ allow $1 net_conf_t:dir list_dir_perms;
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
@@ -464,6 +558,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
+ files_rw_pid_dirs($1)
allow $1 dhcpc_var_run_t:file unlink;
')
@@ -554,6 +649,25 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
+## Send a kill signal to iconfig.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_kill_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process sigkill;
+')
+
+########################################
+## <summary>
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
@@ -661,6 +775,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
+ miscfiles_read_generic_certs($1)
+
sysnet_read_config($1)
optional_policy(`
@@ -698,6 +814,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
+
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
')
########################################
@@ -731,3 +850,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_dhcpc_use_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an dhclient script
+## </summary>
+## <desc>
+## <p>
+## Execute dhclient script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+interface(`sysnet_role_transition_dhcpc',`
+ gen_require(`
+ type dhcpc_exec_t;
+ ')
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
+
+########################################
+## <summary>
+## Transition to sysnet named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_named_content',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
+ files_etc_filetrans($1, net_conf_t, file, "ethers")
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 34d0ec5..767ccbd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
# Declarations
#
+## <desc>
+## <p>
+## Allow dhcpc client applications to execute iptables commands
+## </p>
+## </desc>
+gen_tunable(dhcpc_exec_iptables, false)
+
# this is shared between dhcpc and dhcpd:
type dhcp_etc_t;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
@@ -19,6 +26,9 @@ type dhcpc_exec_t;
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
+type dhcpc_helper_exec_t;
+init_script_file(dhcpc_helper_exec_t)
+
type dhcpc_state_t;
files_type(dhcpc_state_t)
@@ -34,7 +44,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
-files_type(net_conf_t)
+files_config_file(net_conf_t)
########################################
#
@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
+allow dhcpc_t dhcp_state_t:file relabel_file_perms;
+
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file relabel_file_perms;
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
+allow dhcpc_t net_conf_t:file manage_file_perms;
+allow dhcpc_t net_conf_t:file relabel_file_perms;
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t)
corenet_all_recvfrom_unlabeled(dhcpc_t)
corenet_all_recvfrom_netlabel(dhcpc_t)
-corenet_tcp_sendrecv_all_if(dhcpc_t)
-corenet_raw_sendrecv_all_if(dhcpc_t)
-corenet_udp_sendrecv_all_if(dhcpc_t)
-corenet_tcp_sendrecv_all_nodes(dhcpc_t)
-corenet_raw_sendrecv_all_nodes(dhcpc_t)
-corenet_udp_sendrecv_all_nodes(dhcpc_t)
+corenet_tcp_sendrecv_generic_if(dhcpc_t)
+corenet_raw_sendrecv_generic_if(dhcpc_t)
+corenet_udp_sendrecv_generic_if(dhcpc_t)
+corenet_tcp_sendrecv_generic_node(dhcpc_t)
+corenet_raw_sendrecv_generic_node(dhcpc_t)
+corenet_udp_sendrecv_generic_node(dhcpc_t)
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
-corenet_tcp_bind_all_nodes(dhcpc_t)
-corenet_udp_bind_all_nodes(dhcpc_t)
+corenet_tcp_bind_generic_node(dhcpc_t)
+corenet_udp_bind_generic_node(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
dev_read_sysfs(dhcpc_t)
# for SSP:
dev_read_urand(dhcpc_t)
+domain_obj_id_change_exemption(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
@@ -130,13 +148,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
+init_stream_connect(dhcpc_t)
+init_stream_send(dhcpc_t)
logging_send_syslog_msg(dhcpc_t)
+miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_domtrans_insmod(dhcpc_t)
-
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
@@ -155,6 +174,16 @@ optional_policy(`
')
optional_policy(`
+ chronyd_initrc_domtrans(dhcpc_t)
+ chronyd_systemctl(dhcpc_t)
+')
+
+optional_policy(`
+ devicekit_dontaudit_rw_log(dhcpc_t)
+ devicekit_dontaudit_read_pid_files(dhcpc_t)
+')
+
+optional_policy(`
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
@@ -171,6 +200,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_read_pid_files(dhcpc_t)
+ hal_dontaudit_write_log(dhcpc_t)
')
optional_policy(`
@@ -192,17 +223,31 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(dhcpc_t)
+')
+
+optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_read_lib_files(dhcpc_t)
+')
+
+optional_policy(`
+ nis_initrc_domtrans_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
+ nis_systemctl_ypbind(dhcpc_t)
')
optional_policy(`
nscd_initrc_domtrans(dhcpc_t)
+ nscd_systemctl(dhcpc_t)
nscd_domtrans(dhcpc_t)
nscd_read_pid(dhcpc_t)
')
optional_policy(`
ntp_initrc_domtrans(dhcpc_t)
+ ntp_systemctl(dhcpc_t)
')
optional_policy(`
@@ -213,6 +258,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
+ seutil_domtrans_setfiles(dhcpc_t)
+')
+optional_policy(`
+ systemd_passwd_agent_domtrans(dhcpc_t)
+ systemd_signal_passwd_agent(dhcpc_t)
')
optional_policy(`
@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
+allow ifconfig_t self:appletalk_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-modutils_domtrans_insmod(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
-userdom_use_user_terminals(ifconfig_t)
+sysnet_dns_name_resolve(ifconfig_t)
+
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',`
')
')
+optional_policy(`
+ brctl_domtrans(ifconfig_t)
+')
+
+optional_policy(`
+ ctdbd_read_lib_files(ifconfig_t)
+')
+
ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit ifconfig_t self:capability sys_module;
+
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
+')
+
+optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ hal_dontaudit_read_pid_files(ifconfig_t)
+ hal_write_log(ifconfig_t)
')
optional_policy(`
@@ -335,6 +407,18 @@ optional_policy(`
')
optional_policy(`
+ kdump_dontaudit_read_config(ifconfig_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
+')
+
+optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
+optional_policy(`
nis_use_ypbind(ifconfig_t)
')
@@ -356,3 +440,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
+
+optional_policy(`
+ tunable_policy(`dhcpc_exec_iptables',`
+ iptables_domtrans(dhcpc_t)
+ ')
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 0000000..9eaa38e
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,19 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..46a3ec0
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,456 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
+## <summary>
+## Create a domain for processes which are started
+## exuting systemctl.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_systemctl_domain',`
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ role system_r;
+ attribute systemctl_domain;
+ ')
+
+ type $1_systemctl_t, systemctl_domain;
+ domain_type($1_systemctl_t)
+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
+
+ role system_r types $1_systemctl_t;
+
+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
+')
+
+########################################
+## <summary>
+## Execute systemctl in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_exec_systemctl',`
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, systemd_systemctl_exec_t)
+
+ init_read_state($1)
+')
+
+#######################################
+## <summary>
+## Create a file type used for systemd unit files.
+## </summary>
+## <param name="script_file">
+## <summary>
+## Type to be used for an unit file.
+## </summary>
+## </param>
+#
+interface(`systemd_unit_file',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ typeattribute $1 systemd_unit_file_type;
+ files_type($1)
+')
+
+######################################
+## <summary>
+## Allow domain to search systemd unit dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_search_unit_dirs',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 systemd_unit_file_type:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+## Allow domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_unit_files',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 systemd_unit_file_type:file read_file_perms;
+ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
+ allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
+#####################################
+## <summary>
+## Dontaudit domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_dontaudit_read_unit_files',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ dontaudit $1 systemd_unit_file_type:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_login_read_pid_files',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Use and and inherited systemd
+## logind file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_fds_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+')
+
+######################################
+## <summary>
+## Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_sessions_t;
+ ')
+
+ allow $1 systemd_logind_sessions_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd logind over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run systemd-tmpfiles.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_domtrans',`
+ gen_require(`
+ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
+ ')
+
+ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run systemd-tty-ask-password-agent.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_domtrans',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run systemd_notify.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_notify_domtrans',`
+ gen_require(`
+ type systemd_notify_t, systemd_notify_exec_t;
+ ')
+
+ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
+')
+
+########################################
+## <summary>
+## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
+## allow the specified role the systemd_passwd_agent domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the systemd_passwd_agent domain.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_run',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ systemd_passwd_agent_domtrans($1)
+ role $2 types systemd_passwd_agent_t;
+')
+
+########################################
+## <summary>
+## Role access for systemd_passwd_agent
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_role',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ role $1 types systemd_passwd_agent_t;
+
+ systemd_passwd_agent_domtrans($2)
+
+ ps_process_pattern($2, systemd_passwd_agent_t)
+ allow $2 systemd_passwd_agent_t:process signal;
+')
+
+########################################
+## <summary>
+## Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_signal_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ allow $1 systemd_passwd_agent_t:process signal;
+')
+
+######################################
+## <summary>
+## Template for temporary sockets and files in /dev/.systemd/ask-password
+## which are used by systemd-passwd-agent
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_dev_template',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ type systemd_$1_device_t;
+ files_type(systemd_$1_device_t)
+ dev_associate(systemd_$1_device_t)
+
+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+ allow $1_t systemd_$1_device_t:file manage_file_perms;
+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
+ allow systemd_passwd_agent_t $1_t:process signull;
+ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
+ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
+ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_logger_stream_connect',`
+ gen_require(`
+ type systemd_logger_t;
+ ')
+
+ allow $1 systemd_logger_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## manage systemd unit dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_unit_dirs',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+########################################
+## <summary>
+## manage all systemd unit files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_all_unit_files',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+########################################
+## <summary>
+## manage all systemd unit lnk_files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_all_unit_lnk_files',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_config_all_services',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ allow $1 systemd_unit_file_type:service all_service_perms;
+')
+
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..ff4814a
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,369 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
+#
+# Declarations
+#
+
+attribute systemd_unit_file_type;
+attribute systemd_domain;
+attribute systemctl_domain;
+
+type systemd_logger_t;
+type systemd_logger_exec_t;
+init_systemd_domain(systemd_logger_t, systemd_logger_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_systemd_domain(systemd_logind_t, systemd_logind_exec_t)
+
+# /run/systemd/sessions
+type systemd_logind_sessions_t;
+files_pid_file(systemd_logind_sessions_t)
+
+# /run/systemd/{seats, users}
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+# domain for systemd-tmpfiles component
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
+
+# type for systemd unit files
+type systemd_unit_file_t;
+systemd_unit_file(systemd_unit_file_t)
+
+# executable for systemctl
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
+
+#
+# Type for systemd pipes in /dev/.systemd/ directory
+#
+type systemd_device_t;
+files_type(systemd_device_t)
+dev_associate(systemd_device_t)
+
+#######################################
+#
+# Systemd_logind local policy
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown dac_override fowner };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+
+dev_read_sysfs(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
+dev_setattr_mouse_dev(systemd_logind_t)
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
+files_read_etc_files(systemd_logind_t)
+
+# /sys/fs/cgroup/systemd/user
+fs_manage_cgroup_dirs(systemd_logind_t)
+# write getattr open setattr
+fs_manage_cgroup_files(systemd_logind_t)
+
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
+auth_use_nsswitch(systemd_logind_t)
+
+authlogin_read_state(systemd_logind_t)
+
+dbus_connect_system_bus(systemd_logind_t)
+dbus_system_bus_client(systemd_logind_t)
+
+init_dbus_chat(systemd_logind_t)
+init_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+miscfiles_read_localization(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
+userdom_manage_user_tmp_dirs(systemd_logind_t)
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
+')
+
+optional_policy(`
+ # we label /run/user/$USER/dconf as config_home_t
+ gnome_manage_home_config_dirs(systemd_logind_t)
+')
+
+optional_policy(`
+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
+')
+
+#######################################
+#
+# Local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
+init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
+
+kernel_stream_connect(systemd_passwd_agent_t)
+
+files_read_etc_files(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pipes(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
+#######################################
+#
+# Local policy
+#
+
+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_network_state(systemd_tmpfiles_t)
+files_delete_kernel_modules(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
+
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+fs_list_all(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
+files_manage_all_pids(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
+files_delete_usr_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
+files_list_lost_found(systemd_tmpfiles_t)
+
+mcs_file_read_all(systemd_tmpfiles_t)
+mcs_file_write_all(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
+
+selinux_get_enforce_mode(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_relabel_faillog(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+auth_use_nsswitch(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+init_rw_stream_sockets(systemd_tmpfiles_t)
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
+miscfiles_read_localization(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(systemd_tmpfiles_t)
+ userdom_delete_user_home_content_dirs(systemd_tmpfiles_t)
+ userdom_delete_user_home_content_files(systemd_tmpfiles_t)
+ userdom_delete_user_home_content_sock_files(systemd_tmpfiles_t)
+ userdom_delete_user_home_content_symlinks(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ apache_delete_sys_content_rw(systemd_tmpfiles_t)
+ apache_list_cache(systemd_tmpfiles_t)
+ apache_delete_cache_dirs(systemd_tmpfiles_t)
+ apache_delete_cache_files(systemd_tmpfiles_t)
+ apache_setattr_cache_dirs(systemd_tmpfiles_t)
+')
+
+
+optional_policy(`
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ rpm_read_db(systemd_tmpfiles_t)
+ rpm_delete_db(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ sandbox_list(systemd_tmpfiles_t)
+ sandbox_delete_dirs(systemd_tmpfiles_t)
+ sandbox_delete_files(systemd_tmpfiles_t)
+ sandbox_delete_lnk_files(systemd_tmpfiles_t)
+ sandbox_delete_pipes(systemd_tmpfiles_t)
+ sandbox_delete_sock_files(systemd_tmpfiles_t)
+ sandbox_setattr_dirs(systemd_tmpfiles_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability { chown };
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
+
+optional_policy(`
+ readahead_manage_pid_files(systemd_notify_t)
+')
+
+########################################
+#
+# systemd_logger local policy
+#
+
+allow systemd_logger_t self:capability { sys_admin chown kill };
+allow systemd_logger_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
+allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_use_fds(systemd_logger_t)
+
+dev_write_kmsg(systemd_logger_t)
+
+domain_use_interactive_fds(systemd_logger_t)
+
+files_read_etc_files(systemd_logger_t)
+files_read_usr_files(systemd_logger_t)
+
+# only needs write
+term_use_generic_ptys(systemd_logger_t)
+
+auth_use_nsswitch(systemd_logger_t)
+
+# /run/systemd/notify
+init_write_pid_socket(systemd_logger_t)
+
+logging_send_syslog_msg(systemd_logger_t)
+
+miscfiles_read_localization(systemd_logger_t)
+
+
+########################################
+#
+# systemd_sysctl domains local policy
+#
+
+allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
+
+fs_list_cgroup_dirs(systemctl_domain)
+fs_read_cgroup_files(systemctl_domain)
+
+# needed by systemctl
+init_dgram_send(systemctl_domain)
+init_stream_connect(systemctl_domain)
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -21,4 +21,6 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..c15e57c 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
')
domtrans_pattern($1, udev_exec_t, udev_t)
+ allow $1 udev_t:process noatsecure;
')
########################################
@@ -88,8 +89,7 @@ interface(`udev_read_state',`
')
kernel_search_proc($1)
- allow $1 udev_t:file read_file_perms;
- allow $1 udev_t:lnk_file read_lnk_file_perms;
+ ps_process_pattern($1, udev_t)
')
########################################
@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
#
interface(`udev_dontaudit_search_db',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
- dontaudit $1 udev_tbl_t:dir search_dir_perms;
+ dontaudit $1 udev_var_run_t:dir search_dir_perms;
')
########################################
@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
## <infoflow type="read" weight="10"/>
#
interface(`udev_read_db',`
+ udev_read_pid_files($1)
+')
+
+########################################
+## <summary>
+## Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_rw_db',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
+ files_search_pids($1)
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:dir list_dir_perms;
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
########################################
## <summary>
-## Allow process to modify list of devices.
+## Allow process to modify relabelto udev database
## </summary>
## <param name="domain">
## <summary>
@@ -203,13 +216,36 @@ interface(`udev_read_db',`
## </summary>
## </param>
#
-interface(`udev_rw_db',`
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## udev pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_pid_files',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:file rw_file_perms;
+ files_search_pids($1)
+ allow $1 udev_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
########################################
@@ -228,6 +264,84 @@ interface(`udev_manage_pid_files',`
type udev_var_run_t;
')
- files_search_var_lib($1)
+ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
+#######################################
+## <summary>
+## Execute udev in the udev domain, and
+## allow the specified role the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udev_run',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ udev_domtrans($1)
+ role $2 types udev_t;
+')
+
+#######################################
+## <summary>
+## Allow caller to create kobject uevent socket for udev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_socket',`
+ gen_require(`
+ type udev_t;
+ role system_r;
+ ')
+
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by udev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`udev_system_domain',`
+ gen_require(`
+ type udev_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(udev_t, $2, $1)
+
+ dontaudit $1 udev_t:unix_dgram_socket { read write };
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d88f7c3..e5fef27 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
-type udev_tbl_t alias udev_tdb_t;
-files_type(udev_tbl_t)
-
type udev_rules_t;
files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
+typealias udev_var_run_t alias udev_tbl_t;
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -38,6 +36,12 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit udev_t self:capability sys_module;
+')
+
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+allow udev_t self:netlink_socket create_socket_perms;
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -62,17 +67,16 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
@@ -87,6 +91,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
+kernel_stream_connect(udev_t)
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
+dev_rw_generic_usb_dev(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
@@ -105,21 +111,30 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
+dev_filetrans_all_named_dev(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
+files_read_system_conf_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
files_exec_etc_files(udev_t)
+files_exec_usr_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
+files_list_tmp(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_rw_anon_inodefs_files(udev_t)
+fs_list_auto_mountpoints(udev_t)
+fs_list_hugetlbfs(udev_t)
mcs_ptrace_all(udev_t)
@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
+init_stream_connect(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+systemd_login_read_pid_files(udev_t)
+
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
@@ -186,8 +204,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
+ fs_manage_hugetlbfs_dirs(udev_t)
- term_search_ptys(udev_t)
+ term_use_generic_ptys(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -216,11 +235,16 @@ optional_policy(`
')
optional_policy(`
- consoletype_exec(udev_t)
+ consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(udev_t)
')
optional_policy(`
cups_domtrans_config(udev_t)
+ cups_read_config(udev_t)
')
optional_policy(`
@@ -230,10 +254,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
+ devicekit_domtrans_disk(udev_t)
+')
+
+optional_policy(`
+ gnome_read_home_config(udev_t)
+')
+
+optional_policy(`
+ gpsd_domtrans(udev_t)
')
optional_policy(`
lvm_domtrans(udev_t)
+ lvm_dgram_send(udev_t)
')
optional_policy(`
@@ -259,6 +293,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(udev_t)
+')
+
+optional_policy(`
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -273,6 +311,11 @@ optional_policy(`
')
optional_policy(`
+ usbmuxd_domtrans(udev_t)
+ usbmuxd_stream_connect(udev_t)
+')
+
+optional_policy(`
unconfined_signal(udev_t)
')
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index ce2fbb9..8b34dbc 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -1,15 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-
-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e668..46f9aaf 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,29 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
- type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
- allow $1 self:capability *;
- allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:capability ~sys_module;
+ allow $1 self:capability2 syslog;
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
+ allow $1 self:dir rw_dir_perms;
# Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
+ allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms;
+ allow $1 self:socket_class_set create_socket_perms;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -43,6 +45,13 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ systemd_config_all_services($1)
+
+ domain_mmap_low($1)
+
+ mcs_file_read_all($1)
+
+ ubac_process_exempt($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
@@ -69,6 +78,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
')
optional_policy(`
@@ -122,6 +132,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
+ gen_require(`
+ attribute unconfined_services;
+ ')
+
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
@@ -150,7 +164,7 @@ interface(`unconfined_domain',`
## </param>
#
interface(`unconfined_alias_domain',`
- refpolicywarn(`$0($1) has been deprecated.')
+ refpolicywarn(`$0() has been deprecated.')
')
########################################
@@ -176,414 +190,5 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
- refpolicywarn(`$0($1) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Transition to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`unconfined_domtrans',`
- gen_require(`
- type unconfined_t, unconfined_exec_t;
- ')
-
- domtrans_pattern($1, unconfined_exec_t, unconfined_t)
-')
-
-########################################
-## <summary>
-## Execute specified programs in the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the unconfined domain.
-## </summary>
-## </param>
-#
-interface(`unconfined_run',`
- gen_require(`
- type unconfined_t;
- ')
-
- unconfined_domtrans($1)
- role $2 types unconfined_t;
-')
-
-########################################
-## <summary>
-## Transition to the unconfined domain by executing a shell.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`unconfined_shell_domtrans',`
- gen_require(`
- type unconfined_t;
- ')
-
- corecmd_shell_domtrans($1, unconfined_t)
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow unconfined to execute the specified program in
-## the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Allow unconfined to execute the specified program in
-## the specified domain.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Domain entry point file.
-## </summary>
-## </param>
-#
-interface(`unconfined_domtrans_to',`
- gen_require(`
- type unconfined_t;
- ')
-
- domtrans_pattern(unconfined_t,$2,$1)
-')
-
-########################################
-## <summary>
-## Allow unconfined to execute the specified program in
-## the specified domain. Allow the specified domain the
-## unconfined role and use of unconfined user terminals.
-## </summary>
-## <desc>
-## <p>
-## Allow unconfined to execute the specified program in
-## the specified domain. Allow the specified domain the
-## unconfined role and use of unconfined user terminals.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Domain entry point file.
-## </summary>
-## </param>
-#
-interface(`unconfined_run_to',`
- gen_require(`
- type unconfined_t;
- role unconfined_r;
- ')
-
- domtrans_pattern(unconfined_t,$2,$1)
- role unconfined_r types $1;
- userdom_use_user_terminals($1)
-')
-
-########################################
-## <summary>
-## Inherit file descriptors from the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_use_fds',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_sigchld',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a SIGNULL signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_signull',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process signull;
-')
-
-########################################
-## <summary>
-## Send generic signals to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_signal',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process signal;
-')
-
-########################################
-## <summary>
-## Read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_read_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fifo_file read_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_read_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:fifo_file read;
-')
-
-########################################
-## <summary>
-## Read and write unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_rw_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Connect to the unconfined domain using
-## a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_stream_connect',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## unconfined domain tcp sockets.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read or write
-## unconfined domain tcp sockets.
-## </p>
-## <p>
-## This interface was added due to a broken
-## symptom in ldconfig.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_tcp_sockets',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Create keys for the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_create_keys',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:key create;
-')
-
-########################################
-## <summary>
-## Send messages to the unconfined domain over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_send',`
- gen_require(`
- type unconfined_t;
- class dbus send_msg;
- ')
-
- allow $1 unconfined_t:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## unconfined_t over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_chat',`
- gen_require(`
- type unconfined_t;
- class dbus send_msg;
- ')
-
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_connect',`
- gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
- ')
-
- allow $1 unconfined_t:dbus acquire_svc;
+ refpolicywarn(`$0() has been deprecated.')
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..71e46b2 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -4,231 +4,4 @@ policy_module(unconfined, 3.3.0)
#
# Declarations
#
-
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_role(unconfined_r, unconfined_t)
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
-
-type unconfined_execmem_t;
-type unconfined_execmem_exec_t;
-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
-role unconfined_r types unconfined_execmem_t;
-
-########################################
-#
-# Local policy
-#
-
-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
-
-files_create_boot_flag(unconfined_t)
-
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
-init_run_daemon(unconfined_t, unconfined_r)
-
-libs_run_ldconfig(unconfined_t, unconfined_r)
-
-logging_send_syslog_msg(unconfined_t)
-logging_run_auditctl(unconfined_t, unconfined_r)
-
-mount_run_unconfined(unconfined_t, unconfined_r)
-
-seutil_run_setfiles(unconfined_t, unconfined_r)
-seutil_run_semanage(unconfined_t, unconfined_r)
-
-unconfined_domain(unconfined_t)
-
-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-
-ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- ada_domtrans(unconfined_t)
-')
-
-optional_policy(`
- apache_run_helper(unconfined_t, unconfined_r)
- apache_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- bind_run_ndc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- bootloader_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- cron_unconfined_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
-')
-
-optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- hadoop_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- inn_domtrans(unconfined_t)
-')
-
-optional_policy(`
- java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- mono_domtrans(unconfined_t)
-')
-
-optional_policy(`
- mta_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
-')
-
-optional_policy(`
- prelink_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
-
-optional_policy(`
- pyzor_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
-')
-
-optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- samba_run_net(unconfined_t, unconfined_r)
- samba_run_winbind_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- spamassassin_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r)
- sysnet_dbus_chat_dhcpc(unconfined_t)
-')
-
-optional_policy(`
- tzdata_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- vpn_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- webalizer_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- wine_domtrans(unconfined_t)
-')
-
-optional_policy(`
- xserver_domtrans(unconfined_t)
-')
-
-########################################
-#
-# Unconfined Execmem Local policy
-#
-
-allow unconfined_execmem_t self:process { execstack execmem };
-unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
-
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..494ec08 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,19 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+/root/\.debug(/.*)? <<none>>
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs/.* <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 4b2878a..e7a65ae 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
')
attribute $1_file_type;
+ attribute $1_usertype;
- type $1_t, userdomain;
+ type $1_t, userdomain, $1_usertype;
domain_type($1_t)
+ role $1_r;
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
@@ -43,69 +45,106 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
-
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- allow $1_t self:context contains;
- dontaudit $1_t self:socket create;
-
- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
- term_create_pty($1_t, user_devpts_t)
+ term_dontaudit_getattr_generic_ptys($1_t)
+
+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_usertype $1_usertype:shm create_shm_perms;
+ allow $1_usertype $1_usertype:sem create_sem_perms;
+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
+ allow $1_usertype $1_usertype:msg { send receive };
+ allow $1_usertype $1_usertype:context contains;
+ dontaudit $1_usertype $1_usertype:socket create;
+
+ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
+ term_create_pty($1_usertype, user_devpts_t)
# avoid annoying messages on terminal hangup on role change
- dontaudit $1_t user_devpts_t:chr_file ioctl;
+ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
# avoid annoying messages on terminal hangup on role change
- dontaudit $1_t user_tty_device_t:chr_file ioctl;
-
- kernel_read_kernel_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-
- dev_dontaudit_getattr_all_blk_files($1_t)
- dev_dontaudit_getattr_all_chr_files($1_t)
+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
+
+ application_exec_all($1_usertype)
+
+ kernel_read_kernel_sysctls($1_usertype)
+ kernel_read_all_sysctls($1_usertype)
+ kernel_dontaudit_list_unlabeled($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+ kernel_dontaudit_list_proc($1_usertype)
+
+ dev_dontaudit_getattr_all_blk_files($1_usertype)
+ dev_dontaudit_getattr_all_chr_files($1_usertype)
+ dev_getattr_mtrr_dev($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
- domain_dontaudit_read_all_domains_state($1_t)
- domain_dontaudit_getattr_all_domains($1_t)
- domain_dontaudit_getsession_all_domains($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_read_usr_files($1_t)
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+ dev_dontaudit_all_access_check($1_usertype)
+
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
+ files_list_var($1_usertype)
+ files_read_mnt_files($1_usertype)
+ files_dontaudit_access_check_mnt($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
+ files_list_world_readable($1_usertype)
+ files_read_world_readable_files($1_usertype)
+ files_read_world_readable_symlinks($1_usertype)
+ files_read_world_readable_pipes($1_usertype)
+ files_read_world_readable_sockets($1_usertype)
# old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
+ files_dontaudit_setattr_etc_runtime_files($1_usertype)
+
+ files_exec_usr_files($1_t)
+
+ fs_list_cgroup_dirs($1_usertype)
+ fs_dontaudit_rw_cgroup_files($1_usertype)
+
+ storage_rw_fuse($1_usertype)
+
+ auth_use_nsswitch($1_t)
+
+ init_stream_connect($1_usertype)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_usertype)
+
+ libs_exec_ld_so($1_usertype)
- libs_exec_ld_so($1_t)
+ logging_send_audit_msgs($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
- sysnet_read_config($1_t)
+ miscfiles_read_all_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
+
+ systemd_dbus_chat_logind($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
@@ -116,6 +155,20 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
+ abrt_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ fs_list_cgroup_dirs($1_usertype)
+ ')
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
+ ssh_signal($1_t)
+ ')
')
#######################################
@@ -149,6 +202,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
+ role $1 types { user_home_t user_home_dir_t };
+
##############################
#
# Domain access to home dir
@@ -166,27 +221,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs($2)
- fs_read_nfs_files($2)
- fs_read_nfs_symlinks($2)
- fs_read_nfs_named_sockets($2)
- fs_read_nfs_named_pipes($2)
- ',`
- fs_dontaudit_list_nfs($2)
- fs_dontaudit_read_nfs_files($2)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs($2)
- fs_read_cifs_files($2)
- fs_read_cifs_symlinks($2)
- fs_read_cifs_named_sockets($2)
- fs_read_cifs_named_pipes($2)
- ',`
- fs_dontaudit_list_cifs($2)
- fs_dontaudit_read_cifs_files($2)
- ')
')
#######################################
@@ -218,8 +252,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
+ attribute user_home_type;
')
+ role $1 types { user_home_type user_home_dir_t };
+
##############################
#
# Domain access to home dir
@@ -228,17 +265,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
+ allow $2 user_home_t:dir mounton;
allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+
+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
@@ -246,25 +287,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs($2)
+ fs_mounton_nfs($2)
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
fs_manage_nfs_symlinks($2)
fs_manage_nfs_named_sockets($2)
fs_manage_nfs_named_pipes($2)
- ',`
- fs_dontaudit_manage_nfs_dirs($2)
- fs_dontaudit_manage_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs($2)
+ fs_mounton_cifs($2)
fs_manage_cifs_dirs($2)
fs_manage_cifs_files($2)
fs_manage_cifs_symlinks($2)
fs_manage_cifs_named_sockets($2)
fs_manage_cifs_named_pipes($2)
- ',`
- fs_dontaudit_manage_cifs_dirs($2)
- fs_dontaudit_manage_cifs_files($2)
')
')
@@ -286,17 +325,63 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
+ attribute user_tmp_type;
type user_tmp_t;
')
+ role $1 types user_tmp_t;
+
files_poly_member_tmp($2, user_tmp_t)
- manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
- manage_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ manage_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+')
+
+#######################################
+## <summary>
+## Dontaudit search of user bin dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_bin_dirs',`
+ gen_require(`
+ type home_bin_t;
+ ')
+
+ dontaudit $1 home_bin_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Execute user bin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_exec_user_bin_files',`
+ gen_require(`
+ attribute user_home_type;
+ type home_bin_t, user_home_dir_t;
+ ')
+
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
+ files_search_home($1)
')
#######################################
@@ -316,6 +401,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
+ dontaudit $1 user_tmp_t:sock_file execute;
files_search_tmp($1)
')
@@ -347,59 +433,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
+ attribute user_tmpfs_type;
type user_tmpfs_t;
')
- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ role $1 types user_tmpfs_t;
+
+ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
')
#######################################
## <summary>
-## The template allowing the user basic
+## The interface allowing the user basic
## network permissions
## </summary>
-## <param name="userdomain_prefix">
+## <param name="userdomain">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The user domain
## </summary>
## </param>
## <rolebase/>
#
-template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_udp_sendrecv_generic_if($1_t)
- corenet_tcp_sendrecv_generic_node($1_t)
- corenet_udp_sendrecv_generic_node($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+interface(`userdom_basic_networking',`
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_ports($1)
+ corenet_sendrecv_all_client_packets($1)
optional_policy(`
- init_tcp_recvfrom_all_daemons($1_t)
- init_udp_recvfrom_all_daemons($1_t)
+ init_tcp_recvfrom_all_daemons($1)
+ init_udp_recvfrom_all_daemons($1)
')
optional_policy(`
- ipsec_match_default_spd($1_t)
+ ipsec_match_default_spd($1)
')
+
')
#######################################
@@ -430,6 +519,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_t)
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
@@ -462,8 +552,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
- usermanage_run_chfn($1_t, $1_r)
- usermanage_run_passwd($1_t, $1_r)
+ usermanage_run_chfn($1_t,$1_r)
+ usermanage_run_passwd($1_t,$1_r)
')
')
@@ -490,7 +580,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
- userdom_basic_networking_template($1)
+ userdom_basic_networking($1_usertype)
##############################
#
@@ -500,73 +590,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_t self:socket create_socket_perms;
- allow $1_t unpriv_userdomain:fd use;
+ allow $1_usertype unpriv_userdomain:fd use;
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_net_sysctls($1_t)
+ kernel_read_system_state($1_usertype)
+ kernel_read_network_state($1_usertype)
+ kernel_read_software_raid_state($1_usertype)
+ kernel_read_net_sysctls($1_usertype)
# Very permissive allowing every domain to see every type:
- kernel_get_sysvipc_info($1_t)
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
-
- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
- corenet_udp_bind_generic_node($1_t)
- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
- dev_read_rand($1_t)
- dev_write_sound($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
+ files_search_locks($1_usertype)
# Check to see if cdrom is mounted
- files_search_mnt($1_t)
+ files_search_mnt($1_usertype)
# cjp: perhaps should cut back on file reads:
- files_read_var_files($1_t)
- files_read_var_symlinks($1_t)
- files_read_generic_spool($1_t)
- files_read_var_lib_files($1_t)
+ files_read_var_files($1_usertype)
+ files_read_var_symlinks($1_usertype)
+ files_read_generic_spool($1_usertype)
+ files_read_var_lib_files($1_usertype)
# Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+ files_getattr_lost_found_dirs($1_usertype)
+ files_read_config_files($1_usertype)
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
- fs_rw_cgroup_files($1_t)
+ application_getattr_socket($1_usertype)
+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
# cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
+ selinux_get_fs_mount($1_usertype)
+ selinux_validate_context($1_usertype)
+ selinux_compute_access_vector($1_usertype)
+ selinux_compute_create_context($1_usertype)
+ selinux_compute_relabel_context($1_usertype)
+ selinux_compute_user_contexts($1_usertype)
# for eject
- storage_getattr_fixed_disk_dev($1_t)
+ storage_getattr_fixed_disk_dev($1_usertype)
- auth_use_nsswitch($1_t)
- auth_read_login_records($1_t)
- auth_search_pam_console_data($1_t)
- auth_run_pam($1_t, $1_r)
- auth_run_utempter($1_t, $1_r)
+ auth_read_login_records($1_usertype)
+ auth_run_pam($1_t,$1_r)
+ auth_run_utempter($1_t,$1_r)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
- seutil_read_file_contexts($1_t)
- seutil_read_default_contexts($1_t)
- seutil_run_newrole($1_t, $1_r)
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_run_newrole($1_t,$1_r)
seutil_exec_checkpolicy($1_t)
- seutil_exec_setfiles($1_t)
+ seutil_exec_setfiles($1_usertype)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
seutil_dontaudit_signal_newrole($1_t)
tunable_policy(`user_direct_mouse',`
- dev_read_mouse($1_t)
+ dev_read_mouse($1_usertype)
')
tunable_policy(`user_ttyfile_stat',`
@@ -574,67 +672,117 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
- alsa_relabel_home_files($1_t)
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ canna_stream_connect($1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
+ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
+ colord_read_lib_files($1_usertype)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ ')
+
+ optional_policy(`
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
+ hal_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
+ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
+ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
+ vpn_dbus_chat($1_usertype)
')
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_session_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
+ lircd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
# for running depmod as part of the kernel packaging process
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
+ ')
+
+ optional_policy(`
+ mta_rw_spool($1_usertype)
+ mta_manage_queue($1_usertype)
+ mta_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
@@ -650,40 +798,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
- pcmcia_read_pid($1_t)
+ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- pcscd_read_pub_files($1_t)
- pcscd_stream_connect($1_t)
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype)
+ postgresql_tcp_connect($1_usertype)
')
')
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
+ ')
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
+ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
+ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
+ slrnpull_search_spool($1_usertype)
+ ')
+
+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
@@ -712,13 +872,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
+ ')
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
+ ')
userdom_change_password_template($1)
@@ -736,72 +909,76 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
- kernel_dontaudit_read_system_state($1_t)
+ kernel_dontaudit_read_system_state($1_usertype)
+ kernel_dontaudit_list_all_proc($1_usertype)
- dev_read_sysfs($1_t)
- dev_read_urand($1_t)
+ dev_read_sysfs($1_usertype)
+ dev_read_urand($1_usertype)
- domain_use_interactive_fds($1_t)
+ domain_use_interactive_fds($1_usertype)
# Command completion can fire hundreds of denials
- domain_dontaudit_exec_all_entry_files($1_t)
+ domain_dontaudit_exec_all_entry_files($1_usertype)
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
+ files_dontaudit_list_default($1_usertype)
+ files_dontaudit_read_default_files($1_usertype)
# Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+ files_getattr_lost_found_dirs($1_usertype)
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
- fs_list_cgroup_dirs($1_t)
- fs_list_inotifyfs($1_t)
- fs_rw_anon_inodefs_files($1_t)
- fs_dontaudit_rw_cgroup_files($1_t)
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
auth_dontaudit_write_login_records($1_t)
+ auth_rw_cache($1_t)
application_exec_all($1_t)
-
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_t)
+
# Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
- libs_exec_lib_files($1_t)
+ libs_exec_lib_files($1_usertype)
- logging_dontaudit_getattr_all_logs($1_t)
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
# for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
+ kerberos_use($1_usertype)
+ kerberos_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
+ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
+ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
+ rpm_read_db($1_usertype)
+ rpm_dontaudit_manage_db($1_usertype)
+ rpm_read_cache($1_usertype)
+ ')
+
+ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
##############################
#
# Local policy
@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
+ auth_dontaudit_read_login_records($1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
- dev_dontaudit_read_rand($1_t)
+ dev_dontaudit_read_rand($1_usertype)
+ # temporarily allow since openoffice requires this
+ dev_read_rand($1_usertype)
- logging_send_syslog_msg($1_t)
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
+
+ libs_dontaudit_setattr_lib_files($1_usertype)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_usertype)
+
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
+ fs_manage_dos_dirs($1_usertype)
+ fs_manage_dos_files($1_usertype)
+ storage_raw_read_removable_device($1_usertype)
+ storage_raw_write_removable_device($1_usertype)
+ ')
+
+ logging_send_syslog_msg($1_usertype)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
+ ')
+
+ # cjp: needed by KDE apps
+ # bug: #682499
+ optional_policy(`
+ gnome_read_usr_config($1_usertype)
+ gnome_role_gkeyringd($1, $1_r, $1_usertype)
+ # cjp: telepathy F15 bugs
+ telepathy_role($1_r, $1_t, $1)
')
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
')
')
optional_policy(`
- java_role($1_r, $1_t)
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_usertype)
+ ')
+
+ optional_policy(`
+ wm_role_template($1, $1_r, $1_t)
')
')
@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
- userdom_restricted_user_template($1)
+ userdom_restricted_xwindows_user_template($1)
userdom_common_user_template($1)
##############################
@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
+ corenet_tcp_bind_generic_node($1_usertype)
+
+ storage_rw_fuse($1_t)
files_exec_usr_files($1_t)
- # cjp: why?
+ # cjp: why?
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', `
')
')
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
- ')
+ miscfiles_read_hwdata($1_usertype)
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
+
+ tunable_policy(`user_share_music',`
+ corenet_tcp_bind_daap_port($1_usertype)
+ ')
+
tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
+ ')
+
+ tunable_policy(`user_setrlimit',`
+ allow $1_usertype self:process setrlimit;
+ ')
+
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
+ games_rw_data($1_usertype)
+ ')
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec($1_t)
+ vdagent_stream_connect($1_t)
')
')
@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
- class passwd { passwd chfn chsh rootok };
+ class passwd { passwd chfn chsh rootok crontab };
')
##############################
@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
+
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
+ kernel_signal($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
+ dev_rw_generic_usb_dev($1_t)
+ dev_rw_usbfs($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
+ domain_getcap_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
+ domain_dontaudit_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
+ fs_getattr_all_files($1_t)
+ fs_list_all($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
+ storage_dontaudit_read_fixed_disk($1_t)
- term_use_all_terms($1_t)
+ term_use_all_inherited_terms($1_t)
+ term_use_unallocated_ttys($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
- auth_manage_all_files_except_shadow($1_t)
+ files_manage_non_security_dirs($1_t)
+ files_manage_non_security_files($1_t)
# Relabel almost all files
- auth_relabel_all_files_except_shadow($1_t)
+ files_relabel_non_security_files($1_t)
init_telinit($1_t)
logging_send_syslog_msg($1_t)
- modutils_domtrans_insmod($1_t)
+ optional_policy(`
+ modutils_domtrans_insmod($1_t)
+ modutils_domtrans_depmod($1_t)
+ ')
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
+ systemd_config_all_services($1_t)
+
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
+ files_create_default_dir($1)
+ files_root_filetrans_default($1, dir)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
+ selinux_read_policy($1)
- auth_relabel_all_files_except_shadow($1)
+ files_relabel_all_files($1)
auth_relabel_shadow($1)
init_exec($1)
@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
- seutil_run_checkpolicy($1, $2)
- seutil_run_loadpolicy($1, $2)
- seutil_run_semanage($1, $2)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
+ seutil_run_setsebool($1,$2)
seutil_run_setfiles($1, $2)
+ seutil_manage_bin_policy($1)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
+
optional_policy(`
- aide_run($1, $2)
+ aide_run($1,$2)
')
optional_policy(`
@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
- optional_policy(`
- ipsec_run_setkey($1, $2)
+ optional_policy(`
+ ipsec_run_setkey($1,$2)
')
optional_policy(`
- netlabel_run_mgmt($1, $2)
+ netlabel_run_mgmt($1,$2)
')
optional_policy(`
@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
+ attribute user_home_type;
')
allow $1 user_home_t:filesystem associate;
files_type($1)
- files_poly_member($1)
ubac_constrained($1)
+
+ files_poly_member($1)
+ typeattribute $1 user_home_type;
')
########################################
## <summary>
-## Allow domain to attach to TUN devices created by administrative users.
+## Make the specified type usable in a
+## generic temporary directory.
## </summary>
-## <param name="domain">
+## <param name="type">
## <summary>
-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
## </summary>
## </param>
#
-interface(`userdom_attach_admin_tun_iface',`
+interface(`userdom_user_tmp_content',`
gen_require(`
- attribute admindomain;
+ attribute user_tmp_type;
')
- allow $1 admindomain:tun_socket relabelfrom;
- allow $1 self:tun_socket relabelto;
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
+ ubac_constrained($1)
')
########################################
## <summary>
-## Set the attributes of a user pty.
+## Make the specified type usable in a
+## generic tmpfs_t directory.
## </summary>
-## <param name="domain">
+## <param name="type">
## <summary>
-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
## </summary>
## </param>
#
-interface(`userdom_setattr_user_ptys',`
+interface(`userdom_user_tmpfs_content',`
gen_require(`
- type user_devpts_t;
+ attribute user_tmpfs_type;
')
- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
+ ubac_constrained($1)
')
########################################
## <summary>
-## Create a user pty.
+## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
## <summary>
@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
-interface(`userdom_create_user_pty',`
+interface(`userdom_attach_admin_tun_iface',`
+ gen_require(`
+ attribute admindomain;
+ ')
+
+ allow $1 admindomain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Set the attributes of a user pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_setattr_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Create a user pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_user_pty',`
gen_require(`
type user_devpts_t;
')
@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
files_search_home($1)
')
@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
')
########################################
@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
+ type user_home_t;
')
dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_t:dir list_dir_perms;
')
########################################
@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
+
+########################################
+## <summary>
+## Relabel to user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file relabelto;
+')
+########################################
+## <summary>
+## Relabel user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file relabel_file_perms;
+')
+
########################################
## <summary>
## Create directories in the home dir root with
@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
')
########################################
@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
- type user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
')
- allow $1 user_home_t:dir list_dir_perms;
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
')
########################################
@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
+## Delete all directories in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_dirs',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:dir delete_dir_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file setattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
+## Set the attributes of all user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_setattr_all_user_home_content_dirs',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
## Mmap user home files.
## </summary>
## <param name="domain">
@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
+ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
## <summary>
+## Do not audit attempts to getattr user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_home_content',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:dir getattr;
+ dontaudit $1 user_home_type:file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
- type user_home_t;
+ attribute user_home_type;
+ type user_home_dir_t;
')
- dontaudit $1 user_home_t:dir list_dir_perms;
- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
')
########################################
@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
+## Delete all files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Delete sock files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_sock_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:sock_file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all sock files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:sock_file delete_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- files_search_home($1)
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
')
########################################
@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
')
files_search_home($1)
- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-')
########################################
## <summary>
@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
+## Delete all symbolic links in a user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_symlinks',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
- filetrans_pattern($1, user_home_dir_t, $2, $3)
+ filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
files_search_home($1)
')
@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
- filetrans_pattern($1, user_home_t, $2, $3)
+ filetrans_pattern($1, user_home_t, $2, $3, $4)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
- dontaudit $1 user_tmp_t:file read_file_perms;
+ dontaudit $1 user_tmp_t:file read_inherited_file_perms;
')
########################################
@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
- filetrans_pattern($1, user_tmp_t, $2, $3)
+ filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
')
@@ -2435,13 +3019,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
########################################
## <summary>
-## Read user tmpfs files.
+## Read/Write user tmpfs files.
## </summary>
## <param name="domain">
## <summary>
@@ -2462,26 +3047,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
-## Create, read, write, and delete user tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_user_tmpfs_files',`
- gen_require(`
- type user_tmpfs_t;
- ')
-
- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
-')
-
-########################################
-## <summary>
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
@@ -2572,7 +3137,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
-## Read and write a user domain pty.
+## Read and write a inherited user domain tty.
## </summary>
## <param name="domain">
## <summary>
@@ -2580,70 +3145,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
-interface(`userdom_use_user_ptys',`
+interface(`userdom_use_inherited_user_ttys',`
gen_require(`
- type user_devpts_t;
+ type user_tty_device_t;
')
- allow $1 user_devpts_t:chr_file rw_term_perms;
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
')
########################################
## <summary>
-## Read and write a user TTYs and PTYs.
+## Read and write a user domain pty.
## </summary>
-## <desc>
-## <p>
-## Allow the specified domain to read and write user
-## TTYs and PTYs. This will allow the domain to
-## interact with the user via the terminal. Typically
-## all interactive applications will require this
-## access.
-## </p>
-## <p>
-## However, this also allows the applications to spy
-## on user sessions or inject information into the
-## user session. Thus, this access should likely
-## not be allowed for non-interactive domains.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <infoflow type="both" weight="10"/>
#
-interface(`userdom_use_user_terminals',`
+interface(`userdom_use_user_ptys',`
gen_require(`
- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
')
- allow $1 user_tty_device_t:chr_file rw_term_perms;
allow $1 user_devpts_t:chr_file rw_term_perms;
- term_list_ptys($1)
')
########################################
## <summary>
-## Do not audit attempts to read and write
-## a user domain tty and pty.
+## Read and write a inherited user domain pty.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`userdom_dontaudit_use_user_terminals',`
+interface(`userdom_use_inherited_user_ptys',`
gen_require(`
- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+## Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+#######################################
+## <summary>
+## Allow attempts to read and write
+## a user domain tty and pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## a user domain tty and pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Get attributes of user domain tty and pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_getattr_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
+')
+
########################################
## <summary>
## Execute a shell in all user domains. This
@@ -2713,6 +3346,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
+#####################################
+## <summary>
+## Allow domain dyntrans to unpriv userdomain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dyntransition_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process dyntransition;
+')
+
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
@@ -2736,24 +3387,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
-#######################################
-## <summary>
-## Read and write unpriviledged user SysV sempaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_rw_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:sem rw_sem_perms;
-')
-
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
@@ -2772,25 +3405,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
-#######################################
-## <summary>
-## Read and write unpriviledged user SysV shared
-## memory segments.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_rw_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:shm rw_shm_perms;
-')
-
########################################
## <summary>
## Manage unpriviledged user SysV shared
@@ -2852,7 +3466,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
@@ -2868,29 +3482,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
')
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Send signull to unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_signull_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:process signull;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
')
########################################
@@ -2972,7 +3570,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
')
########################################
@@ -3027,7 +3625,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read/write users
+## temporary fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -3064,6 +3700,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
kernel_search_proc($1)
')
@@ -3142,6 +3779,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
+## Send kill signals to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_kill_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process sigkill;
+')
+
+########################################
+## <summary>
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
@@ -3160,6 +3815,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
+## Read keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3194,3 +3867,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_set_rlimitnh',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_usertype',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ attribute $1_usertype;
+ ')
+ typeattribute $2 $1_usertype;
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+
+ auth_use_nsswitch($2)
+ ubac_constrained($2)
+')
+
+########################################
+## <summary>
+## Connect to users over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_stream_connect',`
+ gen_require(`
+ type user_tmp_t;
+ attribute userdomain;
+ ')
+
+ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
+')
+
+########################################
+## <summary>
+## Ptrace user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process ptrace;
+')
+
+########################################
+## <summary>
+## dontaudit Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## dontaudit list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## RW unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Send a message to unpriv users over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dgram_send',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
+######################################
+## <summary>
+## Send a message to users over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_users_dgram_send',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:unix_dgram_socket sendto;
+')
+
+#######################################
+## <summary>
+## Allow execmod on files in homedirectory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_execmod_user_home_files',`
+ gen_require(`
+ type user_home_type;
+ ')
+
+ allow $1 user_home_type:file execmod;
+')
+
+########################################
+## <summary>
+## Read admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Execute admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in the /root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:file { getattr append };
+')
+
+
+#######################################
+## <summary>
+## Manage all files/directories in the homedir
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_user_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+')
+
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_pattern',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ type_transition $1 user_home_dir_t:$2 user_home_t;
+')
+
+########################################
+## <summary>
+## Create objects in the /root directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_admin_home_dir_filetrans',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ filetrans_pattern($1, admin_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signull;
+')
+
+########################################
+## <summary>
+## Write all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_dgram_socket',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+## Append files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_append_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ append_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Read files inherited
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_inherited_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file { getattr read };
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in a user tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file { getattr append };
+')
+
+######################################
+## <summary>
+## Read audio files in the users homedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_home_audio_files',`
+ gen_require(`
+ type audio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 audio_home_t:dir list_dir_perms;
+ read_files_pattern($1, audio_home_t, audio_home_t)
+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write all user home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_all_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write all user tmp content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
+ gen_require(`
+ attribute user_tmp_type;
+ ')
+
+ dontaudit $1 user_tmp_type:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Manage all user temporary content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_user_tmp_content',`
+ gen_require(`
+ attribute user_tmp_type;
+ ')
+
+ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
+ manage_files_pattern($1, user_tmp_type, user_tmp_type)
+ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
+ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
+ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## List all user temporary content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_all_user_tmp_content',`
+ gen_require(`
+ attribute user_tmp_type;
+ ')
+
+ list_dirs_pattern($1, user_tmp_type, user_tmp_type)
+ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
+ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
+ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
+ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
+ files_search_var($1)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Manage all user tmpfs content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_user_tmpfs_content',`
+ gen_require(`
+ attribute user_tmpfs_type;
+ ')
+
+ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
+ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Delete all user temporary content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_tmp_content',`
+ gen_require(`
+ attribute user_tmp_type;
+ ')
+
+ delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
+ delete_files_pattern($1, user_tmp_type, user_tmp_type)
+ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
+ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
+ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
+ # /var/tmp
+ files_search_var($1)
+ files_delete_tmp_dir_entry($1)
+')
+
+########################################
+## <summary>
+## Read system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_home_certs',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ userdom_search_user_home_content($1)
+ allow $1 home_cert_t:dir list_dir_perms;
+ read_files_pattern($1, home_cert_t, home_cert_t)
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit Write system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_home_certs',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ dontaudit $1 home_cert_t:file write;
+')
+
+########################################
+## <summary>
+## dontaudit Search getatrr /root files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file getattr;
+')
+
+########################################
+## <summary>
+## dontaudit read /root lnk files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_admin_home_lnk_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:lnk_file read;
+')
+
+########################################
+## <summary>
+## dontaudit read /root files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary chr files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_chr_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary blk files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_blk_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Dontaudit attempt to set attributes on user temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Write all inherited users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_inherited_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Delete all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write unpriviledged user SysV shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_shared_mem',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search user
+## temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute a file in a user home directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a user home directory
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`userdom_domtrans_user_home',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ read_lnk_files_pattern($1, user_home_t, user_home_t)
+ domain_transition_pattern($1, user_home_t, $2)
+ type_transition $1 user_home_t:process $2;
+')
+
+########################################
+## <summary>
+## Execute a file in a user tmp directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a user tmp directory
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`userdom_domtrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ domain_transition_pattern($1, user_tmp_t, $2)
+ type_transition $1 user_tmp_t:process $2;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read all user home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_all_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read all user tmp content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
+ gen_require(`
+ attribute user_tmp_type;
+ ')
+
+ dontaudit $1 user_tmp_type:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Read and write unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9b4a930..04d748b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
## <desc>
## <p>
-## Allow users to connect to mysql
+## Allow users to connect to the local mysql server
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)
@@ -43,6 +43,20 @@ gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
+## Allow user music sharing
+## </p>
+## </desc>
+gen_tunable(user_share_music, false)
+
+## <desc>
+## <p>
+## Allow user processes to change their priority
+## </p>
+## </desc>
+gen_tunable(user_setrlimit, false)
+
+## <desc>
+## <p>
## Allow w to display everyone
## </p>
## </desc>
@@ -59,6 +73,19 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+# unprivileged user domains
+attribute user_home_type;
+attribute user_tmp_type;
+attribute user_tmpfs_type;
+
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
+files_poly_member(admin_home_t)
+files_poly_parent(admin_home_t)
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+typeattribute user_home_t user_home_type;
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
+files_poly_member(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
+ubac_constrained(user_home_t)
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)
-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+type user_tmp_t, user_tmp_type;
+typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+files_poly_parent(user_tmp_t)
-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+type user_tmpfs_t, user_tmpfs_type;
+typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type audio_home_t;
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
+
+type home_cert_t;
+miscfiles_cert_type(home_cert_t)
+userdom_user_home_content(home_cert_t)
+ubac_constrained(home_cert_t)
+
+tunable_policy(`allow_console_login',`
+ term_use_console(userdomain)
+')
+
+allow userdomain userdomain:process signull;
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:key manage_key_perms;
+
+optional_policy(`
+ alsa_read_rw_config(unpriv_userdomain)
+ alsa_manage_home_files(unpriv_userdomain)
+ alsa_relabel_home_files(unpriv_userdomain)
+ alsa_filetrans_named_content(unpriv_userdomain)
+')
+
+optional_policy(`
+ gnome_filetrans_home_content(userdomain)
+')
+
+optional_policy(`
+ ssh_filetrans_home_content(userdomain)
+')
+
+optional_policy(`
+ telepathy_filetrans_home_content(userdomain)
+')
+
+optional_policy(`
+ xserver_filetrans_home_content(userdomain)
+')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index a865da7..a5ed06e 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,12 +1,10 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
-
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
-/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -17,6 +15,7 @@ ifdef(`distro_debian',`
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
')
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 77d41b6..4aa96c6 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -87,6 +87,26 @@ interface(`xen_read_image_files',`
## </summary>
## </param>
#
+interface(`xen_manage_image_dirs',`
+ gen_require(`
+ type xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
@@ -213,8 +233,9 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
+ attribute virsh_transition_domain;
')
-
+ typeattribute $1 virsh_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
@@ -230,7 +251,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
- type xm_t;
+ type xm_t, xenstored_var_run_t;
')
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 4350ba0..e50a784 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
#
# Declarations
#
+attribute xm_transition_domain;
## <desc>
## <p>
@@ -65,6 +66,7 @@ type xen_image_t; # customizable
files_type(xen_image_t)
# xen_image_t can be assigned to blk devices
dev_node(xen_image_t)
+virt_image(xen_image_t)
type xenctl_t;
files_type(xenctl_t)
@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
type xenconsoled_var_run_t;
files_pid_file(xenconsoled_var_run_t)
-type xm_t;
-type xm_exec_t;
-domain_type(xm_t)
-init_system_domain(xm_t, xm_exec_t)
-
########################################
#
# blktap local policy
@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',`
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
-lvm_domtrans(xend_t)
-
miscfiles_read_localization(xend_t)
miscfiles_read_hwdata(xend_t)
-mount_domtrans(xend_t)
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
-netutils_domtrans(xend_t)
-
optional_policy(`
brctl_domtrans(xend_t)
')
@@ -349,6 +341,22 @@ optional_policy(`
consoletype_exec(xend_t)
')
+optional_policy(`
+ lvm_domtrans(xend_t)
+')
+
+optional_policy(`
+ mount_domtrans(xend_t)
+')
+
+optional_policy(`
+ netutils_domtrans(xend_t)
+')
+
+optional_policy(`
+ virt_read_config(xend_t)
+')
+
########################################
#
# Xen console local policy
@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
-files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
+fs_search_xenfs(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
@@ -457,96 +468,9 @@ xen_append_log(xenstored_t)
########################################
#
-# xm local policy
-#
-
-allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-allow xm_t self:process { getsched signal };
-
-# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file rw_fifo_file_perms;
-allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow xm_t self:tcp_socket create_stream_socket_perms;
-
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-files_search_var_lib(xm_t)
-
-allow xm_t xen_image_t:dir rw_dir_perms;
-allow xm_t xen_image_t:file read_file_perms;
-allow xm_t xen_image_t:blk_file read_blk_file_perms;
-
-kernel_read_system_state(xm_t)
-kernel_read_kernel_sysctls(xm_t)
-kernel_read_sysctl(xm_t)
-kernel_read_xen_state(xm_t)
-kernel_write_xen_state(xm_t)
-
-corecmd_exec_bin(xm_t)
-corecmd_exec_shell(xm_t)
-
-corenet_tcp_sendrecv_generic_if(xm_t)
-corenet_tcp_sendrecv_generic_node(xm_t)
-corenet_tcp_connect_soundd_port(xm_t)
-
-dev_read_urand(xm_t)
-dev_read_sysfs(xm_t)
-
-files_read_etc_runtime_files(xm_t)
-files_read_usr_files(xm_t)
-files_list_mnt(xm_t)
-# Some common macros (you might be able to remove some)
-files_read_etc_files(xm_t)
-
-fs_getattr_all_fs(xm_t)
-fs_manage_xenfs_dirs(xm_t)
-fs_manage_xenfs_files(xm_t)
-
-term_use_all_terms(xm_t)
-
-init_stream_connect_script(xm_t)
-init_rw_script_stream_sockets(xm_t)
-init_use_fds(xm_t)
-
-miscfiles_read_localization(xm_t)
-
-sysnet_dns_name_resolve(xm_t)
-
-xen_append_log(xm_t)
-xen_stream_connect(xm_t)
-xen_stream_connect_xenstore(xm_t)
-
-optional_policy(`
- dbus_system_bus_client(xm_t)
-
- optional_policy(`
- hal_dbus_chat(xm_t)
- ')
-')
-
-optional_policy(`
- virt_domtrans(xm_t)
- virt_manage_images(xm_t)
- virt_manage_config(xm_t)
- virt_stream_connect(xm_t)
-')
-
-########################################
-#
# SSH component local policy
#
optional_policy(`
- ssh_basic_client_template(xm, xm_t, system_r)
-
- kernel_read_xen_state(xm_ssh_t)
- kernel_write_xen_state(xm_ssh_t)
-
- files_search_tmp(xm_ssh_t)
-
- fs_manage_xenfs_dirs(xm_ssh_t)
- fs_manage_xenfs_files(xm_ssh_t)
-
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
@@ -559,8 +483,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
-
- optional_policy(`
- unconfined_domain(xend_t)
- ')
')
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index bdd500c..4719351 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -535,7 +535,7 @@ define(`filetrans_add_pattern',`
define(`filetrans_pattern',`
allow $1 $2:dir rw_dir_perms;
- type_transition $1 $2:$4 $3;
+ type_transition $1 $2:$4 $3 $5;
')
define(`admin_pattern',`
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 22ca011..823794e 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
domain_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
- allow $3 $1:fifo_file rw_fifo_file_perms;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
')
@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
domain_auto_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
- allow $3 $1:fifo_file rw_fifo_file_perms;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index f7380b3..fb62555 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
# Datagram socket classes.
@@ -105,7 +104,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
#
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
@@ -199,12 +198,15 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
-define(`append_file_perms',`{ getattr open append lock ioctl }')
+define(`append_inherited_file_perms',`{ getattr append }')
+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
# Sockets
@@ -317,3 +324,15 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# All
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_service_perms', `{ start stop status reload kill } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
Reference in New Issue View Git Blame Copy Permalink